Managing third-party applications on client devices

Kaspersky Security Center allows you to manage applications by Kaspersky and other vendors installed on client devices.

The administrator can perform the following actions:

• Create application categories based on specified criteria.
• Manage application categories using specially created rules.
• Manage applications run on devices.
• Perform inventories and maintain a registry of software installed on devices.
• Fix vulnerabilities in software installed on devices.
• Install updates from Windows Update and other software makers on devices.
• Monitor the use of license keys for licensed applications groups.

Installing third-party software updates

Kaspersky Security Center allows you to manage updates of software installed on client devices and fix vulnerabilities in Microsoft applications and other software makers' products through installing required updates.

Kaspersky Security Center searches for updates through the update search task and downloads them to the updates repository. After completing the search of updates, the application provides the administrator with information about available updates and vulnerabilities in applications that can be fixed using those updates.

Information about available updates for Microsoft Windows is provided by Windows Update service. Administration Server can be used as Windows Server Update Services (WSUS) server. To use Administration Server as WSUS server, you should configure synchronization of updates with Windows Update. After you have configured data synchronization with Windows Update, Administration Server provides updates to Windows Update services on devices in centralized mode and with the set frequency.

You can also manage software updates through a Network Agent policy. To do this, you should create a Network Agent policy and configure software updating in the corresponding windows of the New Policy Wizard.

The administrator can view a list of available updates in the Software updates subfolder included in the Application management folder. This folder contains a list of updates for Microsoft applications and other software makers' products retrieved by Administration Server that can be distributed to devices. After viewing information about available updates, the administrator can install them to devices.

Kaspersky Security Center updates some applications by removing the previous version of the application and installing the new one.

A user interaction may be required when you update a third-party application or fix a vulnerability in a third-party application on a managed device. For example, the user may be prompted to close the third-party application if it's currently open.

For security reasons, any third-party software updates that you install by using the Vulnerability and Patch Management feature are automatically scanned for malware by Kaspersky technologies. These technologies are used for automatic file check and include anti-virus scan, static analysis, dynamic analysis, behavior analysis in the sandbox environment, and machine learning.

Kaspersky experts do not perform manual analysis of third-party software updates that can be installed by using the Vulnerability and Patch Management feature. In addition, Kaspersky experts do not search for vulnerabilities (known or unknown) or undocumented features in such updates, as well as do not perform other types of analysis of the updates other than the specified in the paragraph above.

Before installing the updates to all of the devices, you can perform a test installation to make sure installed updates will cause no failures to the operation of applications on the devices.

You can find the details of third-party software that can be updated through Kaspersky Security Center by visiting the Technical Support website, on the Kaspersky Security Center page, in the Server Management section.

Scenario: Updating third-party software

This section provides a scenario for updating third-party software installed on the client devices. The third-party software includes applications from Microsoft and other software vendors. Updates for Microsoft applications are provided by the Windows Update service.

Prerequisites

Administration Server must have a connection to the internet to install updates of third-part software other than Microsoft software.

By default, internet connection is not required for Administration Server to install Microsoft software updates on the managed devices. For example, the managed devices can download the Microsoft software updates directly from Microsoft Update servers or from Windows Server with Microsoft Windows Server Update Services (WSUS) deployed in your organization's network. Administration Server must be connected to the internet when you use Administration Server as WSUS server.

Stages

Updating third-party software proceeds in stages:

1. Searching for required updates

   To find the third-party software updates required for the managed devices, run the Find vulnerabilities and required updates task. When this task is complete, Kaspersky Security Center receives the lists of detected vulnerabilities and required updates for the third-party software installed on the devices that you specified in the task properties.

   The Find vulnerabilities and required updates task is created automatically by the Administration Server Quick Start Wizard. If you did not run the Wizard, create the task or run the Quick Start Wizard now.

   How-to instructions:

   • Administration Console: Scanning applications for vulnerabilities, Scheduling the Find vulnerabilities and required updates task
   • Kaspersky Security Center 13.1 Web Console: Creating the Find vulnerabilities and required updates task, Find vulnerabilities and required updates task settings
2. Analyzing the list of found updates

   View the SOFTWARE UPDATES list and decide which updates you want to install. To view detailed information about each update, click the update name in the list. For each update in the list, you can also view the statistics on the update installation on client devices.

   How-to instructions:

   • Administration Console: Viewing information about available updates
   • Kaspersky Security Center 13.1 Web Console: Viewing information about available third-party software updates
3. Configuring installation of updates

   When Kaspersky Security Center received the list of the third-party software updates, you can install them on client devices by using the Install required updates and fix vulnerabilities task or the Install Windows Update updates task. Create one of these tasks. You can create these tasks on the TASKS tab or by using the SOFTWARE UPDATES list.

   The Install required updates and fix vulnerabilities task is used to install updates for Microsoft applications, including the updates provided by the Windows Update service, and updates of other vendors' products. Note that this task can be created only if you have the license for the Vulnerability and Patch Management feature.

   The Install Windows Update updates task does not require a license, but it can be used to install Windows Update updates only.

   To install some software updates you must accept the End User License Agreement (EULA) for the installation software. If you decline the EULA, the software update will not be installed.

   You can start an update installation task by schedule. When specifying the task schedule, make sure that the update installation task starts after the Find vulnerabilities and required updates task is complete.

   How-to instructions:

   • Administration Console: Fixing vulnerabilities in applications, Viewing information about available updates
   • Kaspersky Security Center 13.1 Web Console: Creating the Install required updates and fix vulnerabilities task, Creating the Install Windows Update updates task, Viewing information about available third-party software updates
4. Scheduling the tasks

   To be sure that the update list is always up-to-date, schedule the Find vulnerabilities and required updates task to run the task automatically from time to time. The default frequency is once a week.

   If you have created the Install required updates and fix vulnerabilities task, you can schedule it to run with the same frequency as the Find vulnerabilities and required updates task or less often. When scheduling the Install Windows Update updates task, note that for this task you must define the list of updates every time before starting this task.

   When scheduling the tasks, make sure that an update installation task starts after the Find vulnerabilities and required updates task is complete.

5. Approving and declining software updates (optional)

   If you have created the Install required updates and fix vulnerabilities task, you can specify rules for update installation in the task properties. If you have created the Install Windows Update updates task, skip this step.

   For each rule, you can define the updates to install depending on the update status: Undefined, Approved or Declined. For example, you may want to create a specific task for servers and set a rule for this task to allow installation of only Windows Update updates and only those ones that have Approved status. After that you manually set the Approved status for those updates that you want to install. In this case the Windows Update updates that have the Undefined or Declined status will not be installed on the servers that you specified in the task.

   The usage of the Approved status to manage update installation is efficient for a small amount of updates. To install multiple updates, use the rules that you can configure in the Install required updates and fix vulnerabilities task. We recommend that you set the Approved status for only those specific updates that do not meet the criteria specified in the rules. When you manually approve a large amount of updates, performance of Administration Server decreases and may lead to Administration Server overload.

   By default, the downloaded software updates have the Undefined status. You can change the status to Approved or Declined in the SOFTWARE UPDATES list (OPERATIONS → PATCH MANAGEMENT → SOFTWARE UPDATES).

   How-to instructions:

   • Administration Console: Approving and declining software updates
   • Kaspersky Security Center 13.1 Web Console: Approving and declining third-party software updates
6. Configuring Administration Server to work as Windows Server Update Services (WSUS) server (optional)

   By default, Windows Update updates are downloaded to the managed devices from Microsoft servers. You can change this setting to use the Administration Server as WSUS server. In this case, the Administration Server synchronizes the update data with Windows Update at the specified frequency and provides updates in centralized mode to Windows Update on networked devices.

   To use the Administration Server as WSUS server, create the Perform Windows Update synchronization task and select the Use Administration Server as WSUS server check box in the Network Agent policy.

   How-to instructions:

   • Administration Console: Synchronizing updates from Windows Update with Administration Server, Configuring Windows updates in a Network Agent policy
   • Kaspersky Security Center 13.1 Web Console: Creating the Perform Windows Update synchronization task
7. Running an update installation task

   Start the Install required updates and fix vulnerabilities task or the Install Windows Update updates task. When you start these tasks, updates are downloaded and installed on managed devices. After the task is complete, make sure that it has the Completed successfully status in the task list.

8. Create the report on results of update installation of third-party software (optional)

   To view detailed statistics on the update installation, create the Report on results of installation of third-party software updates.

   How-to instructions:

   • Administration Console: Creating and viewing a report
   • Kaspersky Security Center 13.1 Web Console: Generating and viewing a report

Results

If you have created and configured the Install required updates and fix vulnerabilities task, the updates are installed on the managed devices automatically. When new updates are downloaded to the Administration Server repository, Kaspersky Security Center checks whether they meet the criteria specified in the update rules. All new updates that meet the criteria will be installed automatically at the next task run.

If you have created the Install Windows Update updates task, only those updates specified in the Install Windows Update updates task properties are installed. In future, if you want to install new updates downloaded to the Administration Server repository, you must add the required updates to the list of updates in the existing task or create a new Install Windows Update updates task.

Viewing information about available updates for third-party applications

To view a list of available updates for third-party applications installed on client devices,

In the Advanced → Application management folder in the console tree, select the Software updates subfolder.

In the workspace of the folder, you can view a list of available updates for applications installed on devices.

To view the properties of an update,

In the workspace of the Software updates folder, in the context menu of the update, select Properties.

The following information is available for viewing in the properties window of the update:

• On the General section you can view the Update approval status:
  • Undefined—the update is available in the list of updates, but is not approved for installation.
  • Approved—the update is available in the list of updates and approved for installation.
  • Declined—the update is declined for installation.
• On the Attributes section you can view the values of the Installed automatically field:
  • The Automatically value is displayed if the Install required updates and fix vulnerabilities task can install updates for the application. The task automatically installs new updates from the web address provided by the vendor of third-party software.
  • The Manually value is displayed if Kaspersky Security Center cannot install updates for the application automatically. You can install updates manually.

  The Installed automatically field is not displayed for Windows application updates.

• List of client devices for which the update is intended.
• List of system components (prerequisites) that have to be installed before the update (if any).
• Software vulnerabilities that the update will fix.

Approving and declining software updates

The settings of an update installation task may require approval of updates that are to be installed. You can approve updates that must be installed and decline updates that must not be installed.

For example, you may want to first check the installation of updates in a test environment and make sure that they do not interfere with the operation of devices, and only then allow the installation of these updates on client devices.

The usage of the Approved status to manage third-party update installation is efficient for a small amount of updates. To install multiple third-party updates, use the rules that you can configure in the Install required updates and fix vulnerabilities task. We recommend that you set the Approved status for only those specific updates that do not meet the criteria specified in the rules. When you manually approve a large amount of updates, performance of Administration Server decreases and may lead to Administration Server overload.

To approve or decline one or several updates:

1. In the console tree, select the Advanced → Application management → Software updates node.
2. In the workspace of the Software updates folder, click the Refresh button in the upper right corner. A list of updates appears.
3. Select the updates that you want to approve or decline.

   The information box for the selected objects appears on the right side of the workspace.

4. In the Update approval status drop-down list, select Approved to approve the selected updates or Declined to decline the selected updates.

   The default value is Undefined.

The updates for which you set the Approved status are placed in a queue for installation.

The updates for which you set the Declined status are uninstalled (if possible) from all devices on which they were previously installed. Also, they will not be installed on other devices in future.

Some updates for Kaspersky applications cannot be uninstalled. If you set the Declined status for them, Kaspersky Security Center will not uninstall these updates from the devices on which they were previously installed. However, these updates will never be installed on other devices in future. If an update for Kaspersky applications cannot be uninstalled, this property is displayed in the update properties window: in the Sections pane select General, and in the workspace the property will appear under Installation requirements. If you set the Declined status for third-party software updates, these updates will not be installed on devices for which they were planned but have not yet been installed. Updates will still remain on devices on which they were already installed. If you have to delete them, you can manually delete them locally.

Synchronizing updates from Windows Update with Administration Server

If you have selected Use Administration Server as a WSUS server in the Update management settings window of the Quick Start Wizard, the Windows Update synchronization task is created automatically. You can run the task in the Tasks folder. The functionality of a Microsoft software update is only available after the Perform Windows Update synchronization task is successfully completed.

The Perform Windows Update synchronization task only downloads metadata from Microsoft servers. If the network does not use a WSUS server, each client device downloads Microsoft updates from external servers independently.

To create a task for synchronizing Windows Updates with Administration Server:

1. In the Advanced → Application management folder in the console tree, select the Software updates subfolder.
2. Click the Additional actions button and select Configure Windows Update synchronization in the drop-down list.

   The Wizard creates the Perform Windows Update synchronization task displayed in the Tasks folder.

   The Windows Update Center Data Retrieval Task Creation Wizard starts. Follow the instructions of the Wizard.

You can also create the Windows Update synchronization task in the Tasks folder by clicking Create a task.

Microsoft regularly deletes outdated updates from the company's servers so the number of current updates is always between 200,000 and 300,000. In Kaspersky Security Center 10 Service Pack 2 Maintenance Release 1 and earlier versions, all updates were retained: no outdated updates were deleted. As a result, the database continuously grew in size. To reduce disk space usage and database size, deletion of outdated updates that are no longer present on Microsoft update servers has been implemented in Kaspersky Security Center 10 Service Pack 3.

When running the Perform Windows Update synchronization task, the application receives a list of current updates from a Microsoft update server. Next, Kaspersky Security Center compiles a list of updates that have become outdated. At the next start of the Find vulnerabilities and required updates task, Kaspersky Security Center flags all outdated updates and sets the deletion time for them. At the next start of the Perform Windows Update synchronization task, all updates flagged for deletion 30 days ago are deleted. Kaspersky Security Center also checks for outdated updates that were flagged for deletion more than 180 days ago, and then deletes those older updates.

When the Perform Windows Update synchronization task completes and outdated updates are deleted, the database may still have the hash codes pertaining to the files of deleted updates, as well as corresponding files in the %AllUsersProfile%\Application Data\KasperskyLab\adminkit\1093\.working\wusfiles files (if they were downloaded earlier). You can run the Administration Server maintenance task to delete these outdated records from the database and corresponding files.

Step 1. Defining whether to reduce traffic

When Kaspersky Security Center synchronizes updates with Microsoft Windows Update Servers, information about all files is saved in the Administration Server database. All files required for an update are also downloaded to the drive during interaction with the Windows Update Agent. In particular, Kaspersky Security Center saves information about express update files to the database and downloads them when necessary. Downloading express update files leads to decreased free space on the drive.

To avoid a decrease in disk space volume and to reduce traffic, you can disable the Download express installation files option.

If this option is selected, express update files are downloaded when running the task. By default, this option is not selected.

Step 2. Applications

In this section you can select applications for which updates will be downloaded.

If the All applications check box is selected, updates will be downloaded for all existing applications, and for all applications that may be released in the future.

By default, the All applications check box is selected.

Step 3. Update categories

In this section, you can select categories of updates that will be downloaded to the Administration Server.

If the All categories check box is selected, updates will be downloaded for all existing updates categories, and for all categories that may appear in the future.

By default, the All categories check box is selected.

Step 4. Updates languages

Expand all | Collapse all

In this window you can select localization languages of updates that will be downloaded to Administration Server. Select one of the following options for downloading localization languages of updates:

• Download all languages, including new ones

  If this option is selected, all the available localization languages of updates will be downloaded to Administration Server. By default, this option is selected.

• Download selected languages

  If this option is selected, you can select from the list localization languages of updates that should be downloaded to Administration Server.

Step 5. Selecting the account to start the task

Expand all | Collapse all

In the Selecting an account to run the task window, you can specify which account to use when running the task. Select one of the following options:

• Default account

  The task will be run under the same account as the application that performs this task.

  By default, this option is selected.

• Specify account

  Fill in the Account and Password fields to specify the details of an account under which the task is run. The account must have sufficient rights for this task.

  • Account

    Account under which the task is run.

  • Password

    Password of the account under which the task will be run.

Step 6. Configuring a task start schedule

Expand all | Collapse all

On the Configure task schedule Wizard page, you can create a schedule for task start. If necessary, specify the following settings:

• Scheduled start:

  Select the schedule according to which the task runs, and configure the selected schedule.

  • Every N hours

    The task runs regularly, with the specified interval in hours, starting from the specified date and time.

    By default, the task runs every six hours, starting from the current system date and time.

  • Every N days

    The task runs regularly, with the specified interval in days. Additionally, you can specify a date and time of the first task run. These additional options become available, if they are supported by the application for which you create the task.

    By default, the task runs every day, starting from the current system date and time.

  • Every N weeks

    The task runs regularly, with the specified interval in weeks, on the specified day of week and at the specified time.

    By default, the task runs every Monday at the current system time.

  • Every N minutes

    The task runs regularly, with the specified interval in minutes, starting from the specified time on the day that the task is created.

    By default, the task runs every 30 minutes, starting from the current system time.

  • Daily (daylight saving time is not supported)

    The task runs regularly, with the specified interval in days. This schedule does not support observance of daylight saving time (DST). It means that when clocks jump one hour forward or backward at the beginning or ending of DST, the actual task start time does not change.

    We do not recommend that you use this schedule. It is needed for backward compatibility of Kaspersky Security Center.

    By default, the task starts every day at the current system time.

  • Weekly

    The task runs every week on the specified day and at the specified time.

  • By days of week

    The task runs regularly, on the specified days of week, at the specified time.

    By default, the task runs every Friday at 6:00:00 PM.

  • Monthly

    The task runs regularly, on the specified day of the month, at the specified time.

    In months that lack the specified day, the task runs on the last day.

    By default, the task runs on the first day of each month, at the current system time.

  • Manually

    The task does not run automatically. You can only start it manually.

    By default, this option is enabled.

  • Once

    The task runs once, on the specified date and time.

  • Every month on specified days of selected weeks

    The task runs regularly, on the specified days of each month, at the specified time.

    By default, no days of month are selected; the default start time is 6:00:00 PM.

  • On virus outbreak

    The task runs after a Virus outbreak event occurs. Select application types that will monitor virus outbreaks. The following application types are available:

    • Anti-virus for workstations and file servers
    • Anti-virus for perimeter defense
    • Anti-virus for mail systems

    By default, all application types are selected.

    You may want to run different tasks depending on the anti-virus application type that reports a virus outbreak. In this case, remove the selection of the application types that you do not need.

  • On completing another task

    The current task starts after another task completes. You can select how the previous task must complete (successfully or with error) to trigger the start of the current task. For example, you may want to run the Manage devices task with the Turn on the device option and, after it completes, run the Virus scan task.

• Run missed tasks

  This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.

  If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.

  If this option is disabled, only scheduled tasks run on client devices; for Manually, Once and Immediately, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.

  By default, this option is enabled.

• Use automatically randomized delay for task starts

  If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

  The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.

  If this option is disabled, the task starts on client devices according to the schedule.

• Use randomized delay for task starts within an interval of (min)

  If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

  If this option is disabled, the task starts on client devices according to the schedule.

  By default, this option is disabled. The default time interval is one minute.

Step 7. Defining the task name

In the Define the task name window, specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).The default value is Perform Windows Update synchronization.

Step 8. Completing creation of the task

In the Finish task creation window, click the Finish button to finish the wizard.

If you want the task to start as soon as the wizard finishes, select the Run the task after the Wizard finishes check box.

The newly created Windows Update synchronization task will appear in the list of tasks in the Tasks folder of the console tree.

Installing updates on devices manually

Expand all | Collapse all

If you have selected Find and install required updates on the Update management settings page of the Quick Start Wizard, the install required updates and fix vulnerabilities task is created automatically. You can run or stop the task in the Managed devices folder on the Tasks tab.

If you have selected Search for required updates in the Quick Start Wizard, you can install software updates on client devices through the Install required updates and fix vulnerabilities task.

You can do any of the following:

• Create a task for installing updates.
• Add a rule for installing an update to an existing update installation task.
• In the settings of an existing update installation task, configure a test installation of updates.

A user interaction may be required when you update a third-party application or fix a vulnerability in a third-party application on a managed device. For example, the user may be prompted to close the third-party application if it's currently open.

Installing updates by creating an installation task

You can do any of the following:

• Create a task for installing certain updates.
• Select an update and create a task for installing it and similar updates.

To install specific updates:

1. In the Advanced → Application management folder in the console tree, select the Software updates subfolder.
2. In the workspace, select the updates that you want to install.
3. Do any of the following:
   • Right-click one of the selected updates in the list, and then select Install update → New task.
   • Click the Install update (create task) link in the information box for the selected updates.
4. Make your choice in the displayed prompt about installing all previous application updates. Click Yes if you agree to the installation of successive application versions incrementally if this is required for installing the selected updates. Click No if you want to update applications in a straightforward fashion, without installing successive versions. If installing the selected updates is not possible without installing previous versions of applications, the updating of the application fails.

   The Updates Installation and Vulnerabilities Fix Task Creation Wizard starts. Follow the steps of the Wizard.

5. On the Selecting an operating system restart option page of the Wizard, select the action to perform when the operating system on client devices must be restarted after the operation:
   • Do not restart the device

     Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.

   • Restart the device

     Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).

   • Prompt user for action

     The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

     By default, this option is selected.

     • Repeat prompt every (min)

       If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.

       By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.

       If this option is disabled, the prompt is displayed only once.

     • Restart after (min)

       After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.

       By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.

   • Force closure of applications in blocked sessions

     Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.

     If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.

     If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.

     By default, this option is disabled.

6. On the Configure task schedule page of the Wizard, you can create a schedule for task start. If necessary, specify the following settings:
   • Scheduled start:

     Select the schedule according to which the task runs, and configure the selected schedule.

     • Every N hours

       The task runs regularly, with the specified interval in hours, starting from the specified date and time.

       By default, the task runs every six hours, starting from the current system date and time.

     • Every N days

       The task runs regularly, with the specified interval in days. Additionally, you can specify a date and time of the first task run. These additional options become available, if they are supported by the application for which you create the task.

       By default, the task runs every day, starting from the current system date and time.

     • Every N weeks

       The task runs regularly, with the specified interval in weeks, on the specified day of week and at the specified time.

       By default, the task runs every Monday at the current system time.

     • Every N minutes

       The task runs regularly, with the specified interval in minutes, starting from the specified time on the day that the task is created.

       By default, the task runs every 30 minutes, starting from the current system time.

     • Daily (daylight saving time is not supported)

       The task runs regularly, with the specified interval in days. This schedule does not support observance of daylight saving time (DST). It means that when clocks jump one hour forward or backward at the beginning or ending of DST, the actual task start time does not change.

       We do not recommend that you use this schedule. It is needed for backward compatibility of Kaspersky Security Center.

       By default, the task starts every day at the current system time.

     • Weekly

       The task runs every week on the specified day and at the specified time.

     • By days of week

       The task runs regularly, on the specified days of week, at the specified time.

       By default, the task runs every Friday at 6:00:00 PM.

     • Monthly

       The task runs regularly, on the specified day of the month, at the specified time.

       In months that lack the specified day, the task runs on the last day.

       By default, the task runs on the first day of each month, at the current system time.

     • Manually

       The task does not run automatically. You can only start it manually.

       By default, this option is enabled.

     • Every month on specified days of selected weeks

       The task runs regularly, on the specified days of each month, at the specified time.

       By default, no days of month are selected; the default start time is 6:00:00 PM.

     • On virus outbreak

       The task runs after a Virus outbreak event occurs. Select application types that will monitor virus outbreaks. The following application types are available:

       • Anti-virus for workstations and file servers
       • Anti-virus for perimeter defense
       • Anti-virus for mail systems

       By default, all application types are selected.

       You may want to run different tasks depending on the anti-virus application type that reports a virus outbreak. In this case, remove the selection of the application types that you do not need.

     • On completing another task

       The current task starts after another task completes. You can select how the previous task must complete (successfully or with error) to trigger the start of the current task. For example, you may want to run the Manage devices task with the Turn on the device option and, after it completes, run the Virus scan task.

   • Run missed tasks

     This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.

     If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.

     If this option is disabled, only scheduled tasks run on client devices; for Manually, Once and Immediately, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.

     By default, this option is enabled.

   • Use automatically randomized delay for task starts

     If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

     The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.

     If this option is disabled, the task starts on client devices according to the schedule.

   • Use randomized delay for task starts within an interval of (min)

     If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

     If this option is disabled, the task starts on client devices according to the schedule.

     By default, this option is disabled. The default time interval is one minute.

7. On the Define the task name page of the Wizard, specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
8. On the Finish task creation page of the Wizard, click the Finish button to close the Wizard.

   If you want the task to start as soon as the Wizard finishes, select the Run the task after the Wizard finishes check box.

After the Wizard completes its operation, Install required updates and fix vulnerabilities appears in the Tasks folder.

You can enable automatic installation of system components (prerequisites) prior to installation of an update in the Install required updates and fix vulnerabilities task properties. When this option is enabled, all required system components are installed before the update. A list of the required components can be found in properties of the update.

In the properties of Install required updates and fix vulnerabilities task, you can allow installation of updates that upgrade application to a new version.

If the task settings provide rules for installation of third-party updates, the Administration Server downloads all relevant updates from their vendors' websites. Updates are saved to the Administration Server repository and then distributed and installed on devices where they are applicable.

If the task settings provide rules for installation of Microsoft updates and the Administration Server acts as a WSUS server, the Administration Server downloads all relevant updates to the repository and then distributes them to managed devices. If the network does not use a WSUS server, each client device downloads Microsoft updates from external servers independently.

To install a certain update and similar ones:

1. In the Advanced → Application management folder in the console tree, select the Software updates subfolder.
2. In the workspace, select the update that you want to install.
3. Click the Run Update Installation Wizard button.

   The Update Installation Wizard starts.

   The Update Installation Wizard features are only available under the Vulnerability and Patch Management license.

   Follow the steps of the Wizard.

4. On the Search for existing update installation tasks page, specify the following settings:
   • Search for tasks that install this update

     If this option is enabled, the Update Installation Wizard searches for existing tasks that install the selected update.

     If this option is disabled or if the search retrieves no applicable tasks, the Update Installation Wizard prompts you to create a rule or task for installing the update.

     By default, this option is enabled.

   • Approve update installation

     The selected update will be approved for installation. Enable this option if some applied rules of update installation allow installation of approved updates only.

     By default, this option is disabled.

5. If you choose to search for existing update installation tasks and if the search retrieves some tasks, you can view properties of these tasks or start them manually. No further actions are required.

   Otherwise, click the New update installation task button.

6. Select the type of the installation rule to be added to the new task, and then click the Finish button.
7. Make your choice in the displayed prompt about installing all previous application updates. Click Yes if you agree to the installation of successive application versions incrementally if this is required for installing the selected updates. Click No if you want to update applications in a straightforward fashion, without installing successive versions. If installing the selected updates is not possible without installing previous versions of applications, the updating of the application fails.

   The Updates Installation and Vulnerabilities Fix Task Creation Wizard starts. Follow the steps of the Wizard.

8. On the Selecting an operating system restart option page of the Wizard, select the action to perform when the operating system on client devices must be restarted after the operation:
   • Do not restart the device

     Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.

   • Restart the device

     Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).

   • Prompt user for action

     The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

     By default, this option is selected.

     • Repeat prompt every (min)

       If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.

       By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.

       If this option is disabled, the prompt is displayed only once.

     • Restart after (min)

       After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.

       By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.

   • Force closure of applications in blocked sessions

     Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.

     If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.

     If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.

     By default, this option is disabled.

9. On the Select devices to which the task will be assigned page of the Wizard, select one of the following options:
   • Select networked devices detected by Administration Server

     The task is assigned to specific devices. The specific devices can include devices in administration groups as well as unassigned devices.

     For example, you may want to use this option in a task of installing Network Agent on unassigned devices.

   • Specify device addresses manually or import addresses from a list

     You can specify NetBIOS names, DNS names, IP addresses, and IP subnets of devices to which you want to assign the task.

     You may want to use this option to execute a task for a specific subnet. For example, you may want to install a certain application on devices of accountants or to scan devices in a subnet that is probably infected.

   • Assign task to a device selection

     The task is assigned to devices included in a device selection. You can specify one of the existing selections.

     For example, you may want to use this option to run a task on devices with a specific operating system version.

   • Assign task to an administration group

     The task is assigned to devices included in an administration group. You can specify one of the existing groups or create a new one.

     For example, you may want to use this option to run a task of sending a message to users if the message is specific for devices included in a specific administration group.

10. On the Configure task schedule page of the Wizard, you can create a schedule for task start. If necessary, specify the following settings:
    • Scheduled start:

      Select the schedule according to which the task runs, and configure the selected schedule.

      • Every N hours

        The task runs regularly, with the specified interval in hours, starting from the specified date and time.

        By default, the task runs every six hours, starting from the current system date and time.

      • Every N days

        The task runs regularly, with the specified interval in days. Additionally, you can specify a date and time of the first task run. These additional options become available, if they are supported by the application for which you create the task.

        By default, the task runs every day, starting from the current system date and time.

      • Every N weeks

        The task runs regularly, with the specified interval in weeks, on the specified day of week and at the specified time.

        By default, the task runs every Monday at the current system time.

      • Every N minutes

        The task runs regularly, with the specified interval in minutes, starting from the specified time on the day that the task is created.

        By default, the task runs every 30 minutes, starting from the current system time.

      • Daily (daylight saving time is not supported)

        The task runs regularly, with the specified interval in days. This schedule does not support observance of daylight saving time (DST). It means that when clocks jump one hour forward or backward at the beginning or ending of DST, the actual task start time does not change.

        We do not recommend that you use this schedule. It is needed for backward compatibility of Kaspersky Security Center.

        By default, the task starts every day at the current system time.

      • Weekly

        The task runs every week on the specified day and at the specified time.

      • By days of week

        The task runs regularly, on the specified days of week, at the specified time.

        By default, the task runs every Friday at 6:00:00 PM.

      • Monthly

        The task runs regularly, on the specified day of the month, at the specified time.

        In months that lack the specified day, the task runs on the last day.

        By default, the task runs on the first day of each month, at the current system time.

      • Manually (selected by default)

        The task does not run automatically. You can only start it manually.

        By default, this option is enabled.

      • Every month on specified days of selected weeks

        The task runs regularly, on the specified days of each month, at the specified time.

        By default, no days of month are selected; the default start time is 6:00:00 PM.

      • On virus outbreak

        The task runs after a Virus outbreak event occurs. Select application types that will monitor virus outbreaks. The following application types are available:

        • Anti-virus for workstations and file servers
        • Anti-virus for perimeter defense
        • Anti-virus for mail systems

        By default, all application types are selected.

        You may want to run different tasks depending on the anti-virus application type that reports a virus outbreak. In this case, remove the selection of the application types that you do not need.

      • On completing another task

        The current task starts after another task completes. You can select how the previous task must complete (successfully or with error) to trigger the start of the current task. For example, you may want to run the Manage devices task with the Turn on the device option and, after it completes, run the Virus scan task.

    • Run missed tasks

      This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.

      If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.

      If this option is disabled, only scheduled tasks run on client devices; for Manually, Once and Immediately, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.

      By default, this option is enabled.

    • Use randomized delay for task starts within an interval of (min)

      If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

      The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.

      If this option is disabled, the task starts on client devices according to the schedule.

    • Use randomized delay for task starts within an interval of (min)

      If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

      If this option is disabled, the task starts on client devices according to the schedule.

      By default, this option is disabled. The default time interval is one minute.

11. On the Define the task name page of the Wizard, specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
12. On the Finish task creation page of the Wizard, click the Finish button to close the Wizard.

    If you want the task to start as soon as the Wizard finishes, select the Run the task after the Wizard finishes check box.

When the Wizard finishes, the Install required updates and fix vulnerabilities task is created and displayed in the Tasks folder.

In addition to the settings that you specify during task creation, you can change other properties of a created task.

Upgrading to a new version of the application may cause a malfunction of dependent applications on devices.

Installing an update by adding a rule to an existing installation task

To install an update by adding a rule to an existing installation task:

1. In the Advanced → Application management folder in the console tree, select the Software updates subfolder.
2. In the workspace, select the update that you want to install.
3. Click the Run Update Installation Wizard button.

   The Update Installation Wizard starts.

   The Update Installation Wizard features are only available under the Vulnerability and Patch Management license.

   Follow the steps of the Wizard.

4. On the Search for existing update installation tasks page, specify the following settings:
   • Search for tasks that install this update

     If this option is enabled, the Update Installation Wizard searches for existing tasks that install the selected update.

     If this option is disabled or if the search retrieves no applicable tasks, the Update Installation Wizard prompts you to create a rule or task for installing the update.

     By default, this option is enabled.

   • Approve update installation

     The selected update will be approved for installation. Enable this option if some applied rules of update installation allow installation of approved updates only.

     By default, this option is disabled.

5. If you choose to search for existing update installation tasks and if the search retrieves some tasks, you can view properties of these tasks or start them manually. No further actions are required.

   Otherwise, click the Add an update installation rule button.

6. Select the task to which you want to add a rule, and then click the Add rule button.

   Also, you can view properties of the existing tasks, start them manually, or create a new task.

7. Select the type of the rule to be added to the selected task, and then click the Finish button.
8. Make your choice in the displayed prompt about installing all previous application updates. Click Yes if you agree to the installation of successive application versions incrementally if this is required for installing the selected updates. Click No if you want to update applications in a straightforward fashion, without installing successive versions. If installing the selected updates is not possible without installing previous versions of applications, the updating of the application fails.

A new rule for installing the update is added to the existing Install required updates and fix vulnerabilities task.

Configuring a test installation of updates

To configure a test installation of updates:

1. In the console tree, select the Install required updates and fix vulnerabilities task in the Managed devices folder on the Tasks tab.
2. In the context menu of the task, select Properties.

   The properties window of the Install required updates and fix vulnerabilities task opens.

3. In the properties window of the task, in the Test installation section select one of the available options for test installation:
   • Do not scan. Select this option if you do not want to perform a test installation of updates.
   • Run scan on selected devices. Select this option if you want to test updates installation on selected devices. Click the Add button and select devices on which you need to perform test installation of updates.
   • Run scan on devices in the specified group. Select this option if you want to test updates installation on a group of devices. In the Specify a test group field, specify a group of devices on which you want to perform a test installation.
   • Run scan on specified percentage of devices. Select this option if you want to test updates installation on some portion of devices. In the Percentage of test devices out of all target devices field, specify the percentage of devices on which you want to perform a test installation of updates.
4. Upon selecting any option except Do not scan, in the Amount of time to make the decision if the installation is to be continued, in hours field specify the number of hours that must elapse from the test installation of updates until the start of installation of the updates on all devices.

Configuring Windows updates in a Network Agent policy

Expand all | Collapse all

To configure Windows Updates in a Network Agent policy:

1. In the console tree, select Managed devices.
2. In the workspace, select the Policies tab.
3. Select a Network Agent policy.
4. In the context menu of the policy, select Properties.

   The properties window for the Network Agent policy opens.

5. In the Sections pane, select Software updates and vulnerabilities.
6. Select the Use Administration Server as a WSUS server option to download Windows updates to the Administration Server and then distribute them to client devices through Network Agent.

   If this option is not selected, Windows updates are not downloaded to the Administration Server. In this case, client devices receive Windows updates directly from Microsoft servers.

7. Select the set of updates that the users can install on their devices manually by using Windows Update.

   On devices running Windows 10, if Windows Update has already found updates for the device, the new option that you select under Allow users to manage installation of Windows Update updates will be applied only after the updates found are installed.

   Select an item in the drop-down list:

   • Allow users to install all applicable Windows Update updates

     Users can install all of the Microsoft Windows Update updates that are applicable to their devices.

     Select this option if you do not want to interfere in the installation of updates.

     When the user installs Microsoft Windows Update updates manually, the updates may be downloaded from Microsoft servers rather than from Administration Server. This is possible if Administration Server has not yet downloaded these updates. Downloading updates from Microsoft servers results in extra traffic.

   • Allow users to install only approved Windows Update updates

     Users can install all of the Microsoft Windows Update updates that are applicable to their devices and that are approved by you.

     For example, you may want to first check the installation of updates in a test environment and make sure that they do not interfere with the operation of devices, and only then allow the installation of these approved updates on client devices.

     When the user installs Microsoft Windows Update updates manually, the updates may be downloaded from Microsoft servers rather than from Administration Server. This is possible if Administration Server has not yet downloaded these updates. Downloading updates from Microsoft servers results in extra traffic.

   • Do not allow users to install Windows Update updates

     Users cannot install Microsoft Windows Update updates on their devices manually. All of the applicable updates are installed as configured by you.

     Select this option if you want to manage the installation of updates centrally.

     For example, you may want to optimize the update schedule so that the network does not become overloaded. You can schedule after-hours updates, so that they do not interfere with user productivity.

8. Select the Windows Update search mode:
   • Active

     If this option is selected, Administration Server with support from Network Agent initiates a request from Windows Update Agent on the client device to the update source: Windows Update Servers or WSUS. Next, Network Agent passes information received from Windows Update Agent to Administration Server.

     The option takes effect only if Connect to the update server to update data option of the Find vulnerabilities and required updates task is selected.

     By default, this option is selected.

   • Passive

     If you select this option, Network Agent periodically passes Administration Server information about updates retrieved at the last synchronization of Windows Update Agent with the update source. If no synchronization of Windows Update Agent with an update source is performed, information about updates on Administration Server becomes out-of-date.

     Select this option if you want to get updates from the memory cache of the update source.

   • Disabled

     If this option is selected, Administration Server does not request any information about updates.

     Select this option if, for example, you want to test the updates on your local device first.

9. Select the Scan executable files for vulnerabilities when running them option if you want to scan executable files for vulnerabilities while the files are being run.
10. Make sure that editing is locked for all the settings that you have changed. Otherwise, the changes do not apply.
11. Click Apply.

Fixing third-party software vulnerabilities

This section describes the features of Kaspersky Security Center that relate to fixing vulnerabilities in the software installed on managed devices.

Scenario: Finding and fixing third-party software vulnerabilities

This section provides a scenario for finding and fixing vulnerabilities on the managed devices running Windows. You can find and fix software vulnerabilities in the operating system and in third-party software, including Microsoft software.

Prerequisites

• Kaspersky Security Center is deployed in your organization.
• There are managed devices running Windows in your organization.
• Internet connection is required for Administration Server to perform the following tasks:
  • To make a list of recommended fixes for vulnerabilities in Microsoft software. The list is created and regularly updated by Kaspersky specialists.
  • To fix vulnerabilities in third-part software other than Microsoft software.

Stages

Finding and fixing software vulnerabilities proceeds in stages:

1. Scanning for vulnerabilities in the software installed on the managed devices

   To find vulnerabilities in the software installed on the managed devices, run the Find vulnerabilities and required updates task. When this task is complete, Kaspersky Security Center receives the lists of detected vulnerabilities and required updates for the third-party software installed on the devices that you specified in the task properties.

   The Find vulnerabilities and required updates task is created automatically by Kaspersky Security Center Quick Start Wizard. If you did not run the Wizard, start it now or create the task manually.

   How-to instructions:

   • Administration Console: Scanning applications for vulnerabilities, Scheduling the Find vulnerabilities and required updates task
   • Kaspersky Security Center 13.1 Web Console: Creating the Find vulnerabilities and required updates task, Find vulnerabilities and required updates task settings
2. Analyzing the list of detected software vulnerabilities

   View the Software vulnerabilities list and decide which vulnerabilities are to be fixed. To view detailed information about each vulnerability, click the vulnerability name in the list. For each vulnerability in the list, you can also view the statistics on the vulnerability on managed devices.

   How-to instructions:

   • Administration Console: Viewing information about software vulnerabilities, Viewing statistics of vulnerabilities on managed devices
   • Kaspersky Security Center 13.1 Web Console: Viewing information about software vulnerabilities, Viewing statistics of vulnerabilities on managed devices
3. Configuring vulnerabilities fix

   When the software vulnerabilities are detected, you can fix the software vulnerabilities on the managed devices by using the Install required updates and fix vulnerabilities task or the Fix vulnerabilities task.

   The Install required updates and fix vulnerabilities task is used to update and fix vulnerabilities in third-party software, including Microsoft software, installed on the managed devices. This task allows you to install multiple updates and fix multiple vulnerabilities according to certain rules. Note that this task can be created only if you have the license for the Vulnerability and Patch Management feature. To fix software vulnerabilities the Install required updates and fix vulnerabilities task uses recommended software updates.

   The Fix vulnerabilities task does not require the license option for the Vulnerability and Patch Management feature. To use this task, you must manually specify user fixes for vulnerabilities in third-party software listed in the task settings. The Fix vulnerabilities task uses recommended fixes for Microsoft software and user fixes for third-party software.

   You can start Vulnerabilities Fix Wizard that creates one of these tasks automatically, or you can create one of these tasks manually.

   How-to instructions:

   • Administration Console: Selecting user fixes for vulnerabilities in third-party software, Fixing vulnerabilities in applications
   • Kaspersky Security Center 13.1 Web Console: Selecting user fixes for vulnerabilities in third-party software, Fixing vulnerabilities in third-party software, Creating the Install required updates and fix vulnerabilities task
4. Scheduling the tasks

   To be sure that the vulnerabilities list is always up-to-date, schedule the Find vulnerabilities and required updates task to run it automatically from time to time. The recommended average frequency is once a week.

   If you have created the Install required updates and fix vulnerabilities task, you can schedule it to run with the same frequency as the Find vulnerabilities and required updates task or less often. When scheduling the Fix vulnerabilities task, note that you have to select fixes for Microsoft software or specify user fixes for third-party software every time before starting the task.

   When scheduling the tasks, make sure that a task to fix vulnerability starts after the Find vulnerabilities and required updates task is complete.

5. Ignoring software vulnerabilities (optional)

   If you want, you can ignore software vulnerabilities to be fixed on all managed devices or only on the selected managed devices.

   How-to instructions:

   • Administration Console: Ignoring software vulnerabilities
   • Kaspersky Security Center 13.1 Web Console: Ignoring software vulnerabilities
6. Running a vulnerability fix task

   Start the Install required updates and fix vulnerabilities task or the Fix vulnerability task. When the task is complete, make sure that it has the Completed successfully status in the task list.

7. Create the report on results of fixing software vulnerabilities (optional)

   To view detailed statistics on the vulnerabilities fix, generate the Report on vulnerabilities. The report displays information about software vulnerabilities that are not fixed. Thus you can have an idea about finding and fixing vulnerabilities in third-party software, including Microsoft software, in your organization.

   How-to instructions:

   • Administration Console: Creating and viewing a report
   • Kaspersky Security Center 13.1 Web Console: Generating and viewing a report
8. Checking configuration of finding and fixing vulnerabilities in third-party software

   Be sure that you have done the following:

   • Obtained and reviewed the list of software vulnerabilities on managed devices
   • Ignored software vulnerabilities if you wanted
   • Configured the task to fix vulnerabilities
   • Scheduled the tasks to find and to fix software vulnerabilities so that they start sequentially
   • Checked that the task to fix software vulnerabilities was run

Results

If you have created and configured the Install required updates and fix vulnerabilities task, the vulnerabilities are fixed on the managed devices automatically. When the task is run, it correlates the list of available software updates to the rules specified in the task settings. All software updates that meet the criteria in the rules will be downloaded to the Administration Server repository and will be installed to fix software vulnerabilities.

If you have created the Fix vulnerabilities task, only software vulnerabilities in Microsoft software are fixed.

About finding and fixing software vulnerabilities

Kaspersky Security Center detects and fixes software

Finding software vulnerabilities

To find software vulnerabilities, Kaspersky Security Center uses characteristics from the database of known vulnerabilities. This database is created by Kaspersky specialists. It contains information about vulnerabilities, such as vulnerability description, vulnerability detect date, vulnerability severity level. You can find the details of software vulnerabilities on Kaspersky website.

Kaspersky Security Center uses the Find vulnerabilities and required updates task to find software vulnerabilities.

Fixing software vulnerabilities

To fix software vulnerabilities Kaspersky Security Center uses software updates issued by the software vendors. The software updates metadata is downloaded to the Administration Server repository as a result of the following tasks run:

• Download updates to the Administration Server repository. This task is intended to download updates metadata for Kaspersky and third-party software. This task is created automatically by the Kaspersky Security Center Quick Start Wizard. You can create the Download updates to the Administration Server repository task manually.
• Perform Windows Update synchronization. This task is intended to download updates metadata for Microsoft software.

Software updates to fix vulnerabilities can be represented as full distribution packages or patches. Software updates that fix software vulnerabilities are named fixes. Recommended fixes are those that are recommended for installation by Kaspersky specialists. User fixes are those that are manually specified for installation by users. To install a user fix, you have to create an installation package containing this fix.

If you have the Kaspersky Security Center license with the Vulnerability and Patch Management feature, to fix software vulnerabilities you can use Install required updates and fix vulnerabilities task. This task automatically fixes multiple vulnerabilities installing recommended fixes. For this task, you can manually configure certain rules to fix multiple vulnerabilities.

If you do not have the Kaspersky Security Center license with the Vulnerability and Patch Management feature, to fix software vulnerabilities, you can use the Fix vulnerabilities task. By means of this task, you can fix vulnerabilities by installing recommended fixes for Microsoft software and user fixes for other third-party software.

For security reasons, any third-party software updates that you install by using the Vulnerability and Patch Management feature are automatically scanned for malware by Kaspersky technologies. These technologies are used for automatic file check and include anti-virus scan, static analysis, dynamic analysis, behavior analysis in the sandbox environment, and machine learning.

Kaspersky experts do not perform manual analysis of third-party software updates that can be installed by using the Vulnerability and Patch Management feature. In addition, Kaspersky experts do not search for vulnerabilities (known or unknown) or undocumented features in such updates, as well as do not perform other types of analysis of the updates other than the specified in the paragraph above.

A user interaction may be required when you update a third-party application or fix a vulnerability in a third-party application on a managed device. For example, the user may be prompted to close the third-party application if it's currently open.

To fix some software vulnerabilities, you must accept the End User License Agreement (EULA) for installing the software if EULA acceptance is requested. If you decline the EULA, the software vulnerability is not fixed.

Viewing information about software vulnerabilities

To view a list of vulnerabilities detected on client devices,

In the Advanced → Application management folder in the console tree, select the Software vulnerabilities subfolder.

The page displays a list of vulnerabilities in applications detected on managed devices.

To obtain information about a selected vulnerability,

Select Properties from the context menu of the vulnerability.

The properties window of the vulnerability opens, displaying the following information:

• Application in which the vulnerability has been detected.
• List of devices on which the vulnerability has been detected.
• Information on whether the vulnerability has been fixed.

To view the report on all detected vulnerabilities,

In the Software vulnerabilities folder, click the View report on vulnerabilities link.

A report on vulnerabilities in applications installed on devices will be generated. You can view this report in the node with the name of the relevant Administration Server, by opening the Reports tab.

Viewing statistics of vulnerabilities on managed devices

You can view statistics for each software vulnerability on managed devices. Statistics is represented as a diagram. The diagram displays the number of devices with the following statuses:

• Ignored on: <number of devices>. The status is assigned if, in the vulnerability properties, you have manually set the option to ignore the vulnerability.
• Fixed on: <number of devices>. The status is assigned if the task to fix the vulnerability has successfully completed.
• Fix scheduled on: <number of devices>. The status is assigned if you have created the task to fix the vulnerability but the task is not performed yet.
• Patch applied on: <number of devices>. The status is assigned if you have manually selected a software update to fix the vulnerability but this software updated has not fixed the vulnerability.
• Fix required on: <number of devices>. The status is assigned if the vulnerability was fixed only on the part of managed devices, and it is required to be fixed on the rest part of managed devices.

To view the statistics of a vulnerability on managed devices:

1. In the Advanced → Application management folder in the console tree, select the Software vulnerabilities subfolder.

   The page displays a list of vulnerabilities in applications detected on managed devices.

2. Select a vulnerability for which you want to view the statistics.

   In the block for working with a selected object, a diagram of the vulnerability statuses is displayed. Clicking a status opens a list of devices on which the vulnerability has the selected status.

Scanning applications for vulnerabilities

Expand all | Collapse all

If you have configured the application through the Quick Start Wizard, the Vulnerability scan task is created automatically. You can view the task in the Managed devices folder, on the Tasks tab.

To create a task for vulnerability scanning in applications installed on client devices:

1. In the console tree, select Advanced → Application management, and then select the Software vulnerabilities subfolder.
2. In the workspace, select Additional actions → Configure vulnerability scan.

   If a task for vulnerability scanning already exists, the Tasks tab of the Managed devices folder is displayed, with the existing task selected. Otherwise, the Find Vulnerabilities and Required Updates Task Creation Wizard starts. Follow the steps of the Wizard.

3. In the Select the task type window, select Find vulnerabilities and required updates.
4. On the Settings page of the Wizard, specify the task settings as follows:
   • Search for vulnerabilities and updates listed by Microsoft

     When searching for vulnerabilities and updates, Kaspersky Security Center uses the information about applicable Microsoft updates from the source of Microsoft updates, which are available at the present moment.

     For example, you may want to disable this option if you have different tasks with different settings for Microsoft updates and updates of third-party applications.

     By default, this option is enabled.

     • Connect to the update server to update data

       Windows Update Agent on a managed device connects to the source of Microsoft updates. The following servers can act as a source of Microsoft updates:

       • Kaspersky Security Center Administration Server (see the settings of Network Agent policy)
       • Windows Server with Microsoft Windows Server Update Services (WSUS) deployed in your organization's network
       • Microsoft Updates servers

       If this option is enabled, Windows Update Agent on a managed device connects to the source of Microsoft updates to refresh the information about applicable Microsoft Windows updates.

       If this option is disabled, Windows Update Agent on a managed device uses the information about applicable Microsoft Windows updates that was received from the source of Microsoft updates earlier and that is stored in the device's cache.

       Connecting to the source of Microsoft updates can be resource-consuming. You might want to disable this option if you set regular connection to this source of updates in another task or in the properties of Network Agent policy, in the section Software updates and vulnerabilities. If you do not want to disable this option, then, to reduce the Server overload, you can configure the task schedule to randomize delay for task starts within 360 minutes.

       By default, this option is enabled.

       Combination of the following options of the settings of Network Agent policy defines the mode of getting updates:

       • Windows Update Agent on a managed device connects to the Update Server to get updates only if the Connect to the update server to update data option is enabled and the Active option, in the Windows Update search mode settings group, is selected.
       • Windows Update Agent on a managed device uses the information about applicable Microsoft Windows updates that was received from the source of Microsoft updates earlier and that is stored in the device's cache, if the Connect to the update server to update data option is enabled and the Passive option, in the Windows Update search mode settings group, is selected, or if the Connect to the update server to update data option is disabled and the Active option, in the Windows Update search mode settings group, is selected.
       • Irrespective of the Connect to the update server to update data option's status (enabled or disabled), if Disabled option, in the Windows Update search mode settings group is selected, Kaspersky Security Center does not request any information about updates.
   • Search for third-party vulnerabilities and updates listed by Kaspersky

     If this option is enabled, Kaspersky Security Center searches for vulnerabilities and required updates for third-party applications (applications made by software vendors other than Kaspersky and Microsoft) in Windows Registry and in the folders specified under Specify paths for advanced search of applications in file system. The full list of supported third-party applications is managed by Kaspersky.

     If this option is disabled, Kaspersky Security Center does not search for vulnerabilities and required updates for third-party applications. For example, you may want to disable this option if you have different tasks with different settings for Microsoft Windows updates and updates of third-party applications.

     By default, this option is enabled.

   • Specify paths for advanced search of applications in file system

     The folders in which Kaspersky Security Center searches for third-party applications that require vulnerability fix and update installation. You can use system variables.

     Specify the folders to which applications are installed. By default, the list contains system folders to which most of the applications are installed.

   • Enable advanced diagnostics

     If this feature is enabled, Network Agent writes traces even if tracing is disabled for Network Agent in Kaspersky Security Center Remote Diagnostics Utility. Traces are written to two files in turn; the total size of both files is determined by the Maximum size, in MB, of advanced diagnostics files value. When both files are full, Network Agent starts writing to them again. The files with traces are stored in the %WINDIR%\Temp folder. These files are accessible in the remote diagnostics utility, you can download or delete them there.

     If this feature is disabled, Network Agent writes traces according to the settings in Kaspersky Security Center Remote Diagnostics Utility. No additional traces are written.

     When creating a task, you do not have to enable advanced diagnostics. You may want to use this feature later if, for example, a task run fails on some of the devices and you want to get additional information during another task run.

     By default, this option is disabled.

   • Maximum size, in MB, of advanced diagnostics files

     The default value is 100 MB, and available values are between 1 MB and 2048 MB. You may be asked to change the default value by Kaspersky Technical Support specialists when information in the advanced diagnostics files sent by you is not enough to troubleshoot the problem.

5. On the Configure task schedule page of the Wizard, you can create a schedule for task start. If necessary, specify the following settings:
   • Scheduled start:

     Select the schedule according to which the task runs, and configure the selected schedule.

     • Every N hours

       The task runs regularly, with the specified interval in hours, starting from the specified date and time.

       By default, the task runs every six hours, starting from the current system date and time.

     • Every N days

       The task runs regularly, with the specified interval in days. Additionally, you can specify a date and time of the first task run. These additional options become available, if they are supported by the application for which you create the task.

       By default, the task runs every day, starting from the current system date and time.

     • Every N weeks

       The task runs regularly, with the specified interval in weeks, on the specified day of week and at the specified time.

       By default, the task runs every Monday at the current system time.

     • Every N minutes

       The task runs regularly, with the specified interval in minutes, starting from the specified time on the day that the task is created.

       By default, the task runs every 30 minutes, starting from the current system time.

     • Daily (daylight saving time is not supported)

       The task runs regularly, with the specified interval in days. This schedule does not support observance of daylight saving time (DST). It means that when clocks jump one hour forward or backward at the beginning or ending of DST, the actual task start time does not change.

       We do not recommend that you use this schedule. It is needed for backward compatibility of Kaspersky Security Center.

       By default, the task starts every day at the current system time.

     • Weekly

       The task runs every week on the specified day and at the specified time.

     • By days of week

       The task runs regularly, on the specified days of week, at the specified time.

       By default, the task runs every Friday at 6:00:00 PM.

     • Monthly

       The task runs regularly, on the specified day of the month, at the specified time.

       In months that lack the specified day, the task runs on the last day.

       By default, the task runs on the first day of each month, at the current system time.

     • Manually

       The task does not run automatically. You can only start it manually.

       By default, this option is enabled.

     • Every month on specified days of selected weeks

       The task runs regularly, on the specified days of each month, at the specified time.

       By default, no days of month are selected; the default start time is 6:00:00 PM.

     • When new updates are downloaded to the repository

       The task runs after updates are downloaded to the repository. For example, you may want to use this schedule for the find vulnerabilities and required updates task.

     • On virus outbreak

       The task runs after a Virus outbreak event occurs. Select application types that will monitor virus outbreaks. The following application types are available:

       • Anti-virus for workstations and file servers
       • Anti-virus for perimeter defense
       • Anti-virus for mail systems

       By default, all application types are selected.

       You may want to run different tasks depending on the anti-virus application type that reports a virus outbreak. In this case, remove the selection of the application types that you do not need.

     • On completing another task

       The current task starts after another task completes. You can select how the previous task must complete (successfully or with error) to trigger the start of the current task. For example, you may want to run the Manage devices task with the Turn on the device option and, after it completes, run the Virus scan task.

   • Run missed tasks

     This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.

     If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.

     If this option is disabled, only scheduled tasks run on client devices; for Manually, Once and Immediately, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.

     By default, this option is enabled.

   • Use automatically randomized delay for task starts

     If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

     The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.

     If this option is disabled, the task starts on client devices according to the schedule.

   • Use randomized delay for task starts within an interval of (min)

     If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

     If this option is disabled, the task starts on client devices according to the schedule.

     By default, this option is disabled. The default time interval is one minute.

6. On the Define the task name page of the Wizard, specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
7. On the Finish task creation page of the Wizard, click the Finish button to close the Wizard.

   If you want the task to start as soon as the Wizard finishes, select the Run the task after the Wizard finishes check box.

After the Wizard completes its operation, the Find vulnerabilities and required updates task appears in the list of tasks in the Managed devices folder, on the Tasks tab.

In addition to the settings that you specify during task creation, you can change other properties of a created task.

When the Find vulnerabilities and required updates task is complete, Administration Server displays a list of vulnerabilities found in applications installed on the device; it also displays all software updates required to fix the vulnerabilities detected.

If the task results contain the 0x80240033 "Windows Update Agent error 80240033 ("License terms could not be downloaded.")" error, you can resolve this issue through the Windows Registry.

Administration Server does not display the list of required software updates when you sequentially run two tasks—the Perform Windows Update synchronization task that has the Download express installation files option disabled, and then the Find vulnerabilities and required updates task. In order to view the list of required software updates, you must run the Find vulnerabilities and required updates task again.

Network Agent receives information about any available Windows updates and other Microsoft product updates from Windows Update or the Administration Server, if the Administration Server acts as the WSUS server. Information is transmitted when applications are started (if this is provided for by the policy) and at each routine run of the Find vulnerabilities and required updates task on client devices.

You can find the details of third-party software that can be updated through Kaspersky Security Center by visiting the Technical Support website, on the Kaspersky Security Center page, in the Server Management section.

Fixing vulnerabilities in applications

Expand all | Collapse all

If you have selected Find and install required updates on the Update management settings page of the Quick Start Wizard, the Install required updates and fix vulnerabilities task is created automatically. The task is displayed in the workspace of the Managed devices folder, on the Tasks tab.

Otherwise, you can do any of the following:

• Create a task for fixing vulnerabilities by installing available updates.
• Add a rule for fixing a vulnerability to an existing vulnerability fix task.

A user interaction may be required when you update a third-party application or fix a vulnerability in a third-party application on a managed device. For example, the user may be prompted to close the third-party application if it's currently open.

Fixing vulnerabilities by creating a vulnerability fix task

You can do any of the following:

• Create a task for fixing multiple vulnerabilities that meet certain rules.
• Select a vulnerability and create a task for fixing it and similar vulnerabilities.

To fix vulnerabilities that meet certain rules:

1. In the console tree, select the Managed devices folder.
2. In the workspace, select the Tasks tab.
3. Click the Create a task button to run the Add Task Wizard. Follow the steps of the Wizard.
4. On the Select the task type page of the Wizard, select Install required updates and fix vulnerabilities.
5. On the Settings page of the Wizard, specify the task settings as follows:
   • Specify rules for installing updates

     These rules are applied to installation of updates on client devices. If rules are not specified, the task has nothing to perform. For information about operations with rules, refer to Rules for update installation.

   • Start installation at device restart or shutdown

     If this option is enabled, updates are installed when the device is restarted or shut down. Otherwise, updates are installed according to a schedule.

     Use this option if installing the updates might affect the device performance.

     By default, this option is disabled.

   • Install required general system components

     If this option is enabled, before installing an update the application automatically installs all general system components (prerequisites) that are required to install the update. For example, these prerequisites can be operating system updates

     If this option is disabled, you may have to install the prerequisites manually.

     By default, this option is disabled.

   • Allow installation of new application versions during updates

     If this option is enabled, updates are allowed when they result in installation of a new version of a software application.

     If this option is disabled, the software is not upgraded. You can then install new versions of the software manually or through another task. For example, you may use this option if your company infrastructure is not supported by a new software version or if you want to check an upgrade in a test infrastructure.

     By default, this option is enabled.

     Upgrading an application may cause malfunction of dependent applications installed on client devices.

   • Download updates to the device without installing them

     If this option is enabled, the application downloads updates to the device but does not install them automatically. You can then Install downloaded updates manually.

     Microsoft updates are downloaded to the system Windows storage. Updates of third-party applications (applications made by software vendors other than Kaspersky and Microsoft) are downloaded to the folder specified in the Folder for downloading updates field.

     If this option is disabled, the updates are installed to the device automatically.

     By default, this option is disabled.

     • Folder for downloading updates

       This folder is used to download updates of third-party applications (applications made by software vendors other than Kaspersky and Microsoft).

   • Enable advanced diagnostics

     If this feature is enabled, Network Agent writes traces even if tracing is disabled for Network Agent in Kaspersky Security Center Remote Diagnostics Utility. Traces are written to two files in turn; the total size of both files is determined by the Maximum size, in MB, of advanced diagnostics files value. When both files are full, Network Agent starts writing to them again. The files with traces are stored in the %WINDIR%\Temp folder. These files are accessible in the remote diagnostics utility, you can download or delete them there.

     If this feature is disabled, Network Agent writes traces according to the settings in Kaspersky Security Center Remote Diagnostics Utility. No additional traces are written.

     When creating a task, you do not have to enable advanced diagnostics. You may want to use this feature later if, for example, a task run fails on some of the devices and you want to get additional information during another task run.

     By default, this option is disabled.

     • Maximum size, in MB, of advanced diagnostics files

       The default value is 100 MB, and available values are between 1 MB and 2048 MB. You may be asked to change the default value by Kaspersky Technical Support specialists when information in the advanced diagnostics files sent by you is not enough to troubleshoot the problem.

6. On the Selecting an operating system restart option page of the Wizard, select the action to perform when the operating system on client devices must be restarted after the operation:
   • Do not restart the device

     Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.

   • Restart the device

     Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).

   • Prompt user for action

     The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

     By default, this option is selected.

     • Repeat prompt every (min)

       If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.

       By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.

       If this option is disabled, the prompt is displayed only once.

     • Restart after (min)

       After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.

       By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.

   • Force closure of applications in blocked sessions

     Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.

     If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.

     If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.

     By default, this option is disabled.

7. On the Configure task schedule page of the Wizard, you can create a schedule for task start. If necessary, specify the following settings:
   • Scheduled start:

     Select the schedule according to which the task runs, and configure the selected schedule.

     • Every N hours

       The task runs regularly, with the specified interval in hours, starting from the specified date and time.

       By default, the task runs every six hours, starting from the current system date and time.

     • Every N days

       The task runs regularly, with the specified interval in days. Additionally, you can specify a date and time of the first task run. These additional options become available, if they are supported by the application for which you create the task.

       By default, the task runs every day, starting from the current system date and time.

     • Every N weeks

       The task runs regularly, with the specified interval in weeks, on the specified day of week and at the specified time.

       By default, the task runs every Monday at the current system time.

     • Every N minutes

       The task runs regularly, with the specified interval in minutes, starting from the specified time on the day that the task is created.

       By default, the task runs every 30 minutes, starting from the current system time.

     • Daily (daylight saving time is not supported)

       The task runs regularly, with the specified interval in days. This schedule does not support observance of daylight saving time (DST). It means that when clocks jump one hour forward or backward at the beginning or ending of DST, the actual task start time does not change.

       We do not recommend that you use this schedule. It is needed for backward compatibility of Kaspersky Security Center.

       By default, the task starts every day at the current system time.

     • Weekly

       The task runs every week on the specified day and at the specified time.

     • By days of week

       The task runs regularly, on the specified days of week, at the specified time.

       By default, the task runs every Friday at 6:00:00 PM.

     • Monthly

       The task runs regularly, on the specified day of the month, at the specified time.

       In months that lack the specified day, the task runs on the last day.

       By default, the task runs on the first day of each month, at the current system time.

     • Manually

       The task does not run automatically. You can only start it manually.

       By default, this option is enabled.

     • Every month on specified days of selected weeks

       The task runs regularly, on the specified days of each month, at the specified time.

       By default, no days of month are selected; the default start time is 6:00:00 PM.

     • On virus outbreak

       The task runs after a Virus outbreak event occurs. Select application types that will monitor virus outbreaks. The following application types are available:

       • Anti-virus for workstations and file servers
       • Anti-virus for perimeter defense
       • Anti-virus for mail systems

       By default, all application types are selected.

       You may want to run different tasks depending on the anti-virus application type that reports a virus outbreak. In this case, remove the selection of the application types that you do not need.

     • On completing another task

       The current task starts after another task completes. You can select how the previous task must complete (successfully or with error) to trigger the start of the current task. For example, you may want to run the Manage devices task with the Turn on the device option and, after it completes, run the Virus scan task.

   • Run missed tasks

     This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.

     If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.

     If this option is disabled, only scheduled tasks run on client devices; for Manually, Once and Immediately, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.

     By default, this option is enabled.

   • Use automatically randomized delay for task starts

     If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

     The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.

     If this option is disabled, the task starts on client devices according to the schedule.

   • Use randomized delay for task starts within an interval of (min)

     If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

     If this option is disabled, the task starts on client devices according to the schedule.

     By default, this option is disabled. The default time interval is one minute.

8. On the Define the task name page of the Wizard, specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
9. On the Finish task creation page of the Wizard, click the Finish button to close the Wizard.

   If you want the task to start as soon as the Wizard finishes, select the Run the task after the Wizard finishes check box.

After the Wizard completes its operation, the Install required updates and fix vulnerabilities task is created and displayed in the Tasks folder.

In addition to the settings that you specify during task creation, you can change other properties of a created task.

If the task results contain the 0x80240033 "Windows Update Agent error 80240033 ("License terms could not be downloaded.")" error, you can resolve this issue through the Windows Registry.

To fix a specific vulnerability and similar ones:

1. In the Advanced → Application management folder in the console tree, select the Software vulnerabilities subfolder.
2. Select the vulnerability that you want to fix.
3. Click the Run Vulnerability Fix Wizard button.

   The Vulnerability Fix Wizard starts.

   The Vulnerability Fix Wizard features are only available under the Vulnerability and Patch Management license.

   Follow the steps of the Wizard.

4. In the Search for existing vulnerability fix tasks window, specify the following parameters:
   • Show only tasks that fix this vulnerability

     If this option is enabled, the Vulnerability Fix Wizard searches for existing tasks that fix the selected vulnerability.

     If this option is disabled or if the search yields no applicable tasks, the Vulnerability Fix Wizard prompts you to create a rule or task for fixing the vulnerability.

     By default, this option is enabled.

   • Approve updates that fix this vulnerability

     Updates that fix a vulnerability will be approved for installation. Enable this option if some applied rules of update installation only allow the installation of approved updates.

     By default, this option is disabled.

5. If you choose to search for existing vulnerability fix tasks and if the search retrieves some tasks, you can view properties of these tasks or start them manually. No further actions are required.

   Otherwise, click the New vulnerability fix task button.

6. Select the type of the vulnerability fix rule to be added to the new task, and then click the Finish button.
7. Make your choice in the displayed prompt about installing all previous application updates. Click Yes if you agree to the installation of successive application versions incrementally if this is required for installing the selected updates. Click No if you want to update applications in a straightforward fashion, without installing successive versions. If installing the selected updates is not possible without installing previous versions of applications, the updating of the application fails.

   The Updates Installation and Vulnerabilities Fix Task Creation Wizard starts. Follow the steps of the Wizard.

8. On the Selecting an operating system restart option page of the Wizard, select the action to perform when the operating system on client devices must be restarted after the operation:
   • Do not restart the device

     Client devices are not restarted automatically after the operation. To complete the operation, you must restart a device (for example, manually or through a device management task). Information about the required restart is saved in the task results and in the device status. This option is suitable for tasks on servers and other devices where continuous operation is critical.

   • Restart the device

     Client devices are always restarted automatically if a restart is required for completion of the operation. This option is useful for tasks on devices that provide for regular pauses in their operation (shutdown or restart).

   • Prompt user for action

     The restart reminder is displayed on the screen of the client device, prompting the user to restart it manually. Some advanced settings can be defined for this option: text of the message for the user, the message display frequency, and the time interval after which a restart will be forced (without the user's confirmation). This option is most suitable for workstations where users must be able to select the most convenient time for a restart.

     By default, this option is selected.

     • Repeat prompt every (min)

       If this option is enabled, the application prompts the user to restart the operating system with the specified frequency.

       By default, this option is enabled. The default interval is 5 minutes. Available values are between 1 and 1440 minutes.

       If this option is disabled, the prompt is displayed only once.

     • Restart after (min)

       After prompting the user, the application forces restart of the operating system upon expiration of the specified time interval.

       By default, this option is enabled. The default delay is 30 minutes. Available values are between 1 and 1440 minutes.

   • Force closure of applications in blocked sessions

     Running applications may prevent a restart of the client device. For example, if a document is being edited in a word processing application and is not saved, the application does not allow the device to restart.

     If this option is enabled, such applications on a locked device are forced to close before the device restart. As a result, users may lose their unsaved changes.

     If this option is disabled, a locked device is not restarted. The task status on this device states that a device restart is required. Users have to manually close all applications running on locked devices and restart these devices.

     By default, this option is disabled.

9. On the Select devices to which the task will be assigned page of the Wizard, select one of the following options:
   • Select networked devices detected by Administration Server

     The task is assigned to specific devices. The specific devices can include devices in administration groups as well as unassigned devices.

     For example, you may want to use this option in a task of installing Network Agent on unassigned devices.

   • Specify device addresses manually or import addresses from a list

     You can specify NetBIOS names, DNS names, IP addresses, and IP subnets of devices to which you want to assign the task.

     You may want to use this option to execute a task for a specific subnet. For example, you may want to install a certain application on devices of accountants or to scan devices in a subnet that is probably infected.

   • Assign task to a device selection

     The task is assigned to devices included in a device selection. You can specify one of the existing selections.

     For example, you may want to use this option to run a task on devices with a specific operating system version.

   • Assign task to an administration group

     The task is assigned to devices included in an administration group. You can specify one of the existing groups or create a new one.

     For example, you may want to use this option to run a task of sending a message to users if the message is specific for devices included in a specific administration group.

10. On the Configure task schedule page of the Wizard, you can create a schedule for task start. If necessary, specify the following settings:
    • Scheduled start:

      Select the schedule according to which the task runs, and configure the selected schedule.

      • Every N hours

        The task runs regularly, with the specified interval in hours, starting from the specified date and time.

        By default, the task runs every six hours, starting from the current system date and time.

      • Every N days

        The task runs regularly, with the specified interval in days. Additionally, you can specify a date and time of the first task run. These additional options become available, if they are supported by the application for which you create the task.

        By default, the task runs every day, starting from the current system date and time.

      • Every N weeks

        The task runs regularly, with the specified interval in weeks, on the specified day of week and at the specified time.

        By default, the task runs every Monday at the current system time.

      • Every N minutes

        The task runs regularly, with the specified interval in minutes, starting from the specified time on the day that the task is created.

        By default, the task runs every 30 minutes, starting from the current system time.

      • Daily (daylight saving time is not supported)

        The task runs regularly, with the specified interval in days. This schedule does not support observance of daylight saving time (DST). It means that when clocks jump one hour forward or backward at the beginning or ending of DST, the actual task start time does not change.

        We do not recommend that you use this schedule. It is needed for backward compatibility of Kaspersky Security Center.

        By default, the task starts every day at the current system time.

      • Weekly

        The task runs every week on the specified day and at the specified time.

      • By days of week

        The task runs regularly, on the specified days of week, at the specified time.

        By default, the task runs every Friday at 6:00:00 PM.

      • Monthly

        The task runs regularly, on the specified day of the month, at the specified time.

        In months that lack the specified day, the task runs on the last day.

        By default, the task runs on the first day of each month, at the current system time.

      • Manually

        The task does not run automatically. You can only start it manually.

        By default, this option is enabled.

      • Every month on specified days of selected weeks

        The task runs regularly, on the specified days of each month, at the specified time.

        By default, no days of month are selected; the default start time is 6:00:00 PM.

      • On virus outbreak

        The task runs after a Virus outbreak event occurs. Select application types that will monitor virus outbreaks. The following application types are available:

        • Anti-virus for workstations and file servers
        • Anti-virus for perimeter defense
        • Anti-virus for mail systems

        By default, all application types are selected.

        You may want to run different tasks depending on the anti-virus application type that reports a virus outbreak. In this case, remove the selection of the application types that you do not need.

      • On completing another task

        The current task starts after another task completes. You can select how the previous task must complete (successfully or with error) to trigger the start of the current task. For example, you may want to run the Manage devices task with the Turn on the device option and, after it completes, run the Virus scan task.

    • Run missed tasks

      This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.

      If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.

      If this option is disabled, only scheduled tasks run on client devices; for Manually, Once and Immediately, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.

      By default, this option is enabled.

    • Use automatically randomized delay for task starts

      If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

      The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.

      If this option is disabled, the task starts on client devices according to the schedule.

    • Use randomized delay for task starts within an interval of (min)

      If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

      If this option is disabled, the task starts on client devices according to the schedule.

      By default, this option is disabled. The default time interval is one minute.

11. On the Define the task name page of the Wizard, specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
12. On the Finish task creation page of the Wizard, click the Finish button to close the Wizard.

    If you want the task to start as soon as the Wizard finishes, select the Run the task after the Wizard finishes check box.

When the Wizard completes, the Install required updates and fix vulnerabilities task is created and displayed in the Tasks folder.

In addition to the settings that you specify during task creation, you can change other properties of a created task.

Fixing a vulnerability by adding a rule to an existing vulnerability fix task

To fix a vulnerability by adding a rule to an existing vulnerability fix task:

1. In the Advanced → Application management folder in the console tree, select the Software vulnerabilities subfolder.
2. Select the vulnerability that you want to fix.
3. Click the Run Vulnerability Fix Wizard button.

   The Vulnerability Fix Wizard starts.

   The Vulnerability Fix Wizard features are only available under the Vulnerability and Patch Management license.

   Follow the steps of the Wizard.

4. In the Search for existing vulnerability fix tasks window, specify the following parameters:
   • Show only tasks that fix this vulnerability

     If this option is enabled, the Vulnerability Fix Wizard searches for existing tasks that fix the selected vulnerability.

     If this option is disabled or if the search yields no applicable tasks, the Vulnerability Fix Wizard prompts you to create a rule or task for fixing the vulnerability.

     By default, this option is enabled.

   • Approve updates that fix this vulnerability

     Updates that fix a vulnerability will be approved for installation. Enable this option if some applied rules of update installation only allow the installation of approved updates.

     By default, this option is disabled.

5. If you choose to search for existing vulnerability fix tasks and if the search retrieves some tasks, you can view properties of these tasks or start them manually. No further actions are required.

   Otherwise, click the Add vulnerability fix rule to existing task button.

6. Select the task to which you want to add a rule, and then click the Add rule button.

   Also, you can view properties of the existing tasks, start them manually, or create a new task.

7. Select the type of rule to be added to the selected task, and then click the Finish button.
8. Make your choice in the displayed prompt about installing all previous application updates. Click Yes if you agree to the installation of successive application versions incrementally if this is required for installing the selected updates. Click No if you want to update applications in a straightforward fashion, without installing successive versions. If installing the selected updates is not possible without installing previous versions of applications, the updating of the application fails.

A new rule for fixing the vulnerability is added to the existing Install required updates and fix vulnerabilities task.

Ignoring software vulnerabilities

You can ignore software vulnerabilities to be fixed. The reasons to ignore software vulnerabilities might be, for example, the following:

• You do not consider the software vulnerability critical to your organization.
• You understand that the software vulnerability fix can damage data related to the software that required the vulnerability fix.
• You are sure that the software vulnerability is not dangerous for your organization's network because you use other measures to protect your managed devices.

You can ignore a software vulnerability on all managed devices or only on selected managed devices.

To ignore a software vulnerability on all managed devices:

1. In the Advanced → Application management folder in the console tree, select the Software vulnerabilities subfolder.

   The workspace of the folder displays a list of vulnerabilities in applications detected on devices by the Network Agent installed on them.

2. Select the vulnerability you want to ignore.
3. Select Properties from the context menu of the vulnerability.

   The properties window of the vulnerability opens.

4. On the General section, select the Ignore vulnerability option.
5. Click OK.

   The software vulnerability properties window is closed.

The software vulnerability is ignored on all managed devices.

To ignore a software vulnerability on the selected managed device:

1. Open the properties window of the selected managed device and select the Software vulnerabilities section.
2. Select a software vulnerability.
3. Ignore selected vulnerability.

The software vulnerability is ignored on the selected device.

The ignored software vulnerability will not be fixed after completion of the Fix vulnerabilities task or Install required updates and fix vulnerabilities task. You can exclude ignored software vulnerabilities from the list of vulnerabilities by means of the filter.

Selecting user fixes for vulnerabilities in third-party software

To use the Fix vulnerabilities task, you must manually specify the software updates to fix the vulnerabilities in third-party software listed in the task settings. The Fix vulnerabilities task uses recommended fixes for Microsoft software and user fixes for other third-party software. User fixes are software updates to fix vulnerabilities that the administrator manually specifies for installation.

To select user fixes for vulnerabilities in third-party software:

1. In the Advanced → Application management folder in the console tree, select the Software vulnerabilities subfolder.

   The workspace of the folder displays a list of vulnerabilities in applications detected on devices by the Network Agent installed on them.

2. Select the vulnerability for which you want to specify a user fix.
3. Select Properties from the context menu of the vulnerability.

   The properties window of the vulnerability opens.

4. In the User fixes and other fixes section, click the Add button.

   The list of available installation packages is displayed. The list of displayed installation packages corresponds to the Remote installation → Installation packages list. If you have not created an installation package containing a user fix for selected vulnerability, you can create the package now by starting the New Package Wizard.

5. Select an installation package (or packages) containing a user fix (or user fixes) for the vulnerability in third-party software.
6. Click OK.

The installation packages containing user fixes for the software vulnerability are specified. When the Fix vulnerabilities task is started, the installation package will be installed, and the software vulnerability will be fixed.

Rules for update installation

Expand all | Collapse all

When fixing vulnerabilities in applications, you must specify rules for update installation. These rules determine updates to install and vulnerabilities to fix.

The exact settings depend on whether you create a rule for updates of Microsoft applications, of third-party applications (applications made by software vendors other than Kaspersky and Microsoft), or of all applications. When creating a rule for Microsoft applications or third-party applications, you can select specific applications and application versions for which you want to install updates. When creating a rule for all applications, you can select specific updates that you want to install and vulnerabilities that you want to fix by means of installing updates.

To create a new rule for updates of all applications:

1. On the Settings page of the Add Task Wizard, click the Add button.

   The Rule Creation Wizard starts. Follow the steps of the Wizard.

2. On the Rule type page, select Rule for all updates.
3. On the General criteria page, use the drop-down lists to specify the following settings:
   • Set of updates to install

     Select the updates that must be installed on client devices:

     • Install approved updates only. This installs only approved updates.
     • Install all updates (except declined). This installs updates with the Approved or Undefined approval status.
     • Install all updates (including declined). This installs all updates, regardless of their approval status. Select this option with caution. For example, use this option if you want to check installation of some declined updates in a test infrastructure.
   • Fix vulnerabilities with a severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

4. On the Updates page, select the updates to be installed:
   • Install all suitable updates

     Install all software updates that meet the criteria specified on the General criteria page of the Wizard. Selected by default.

   • Install only updates from the list

     Install only software updates that you select manually from the list. This list contains all available software updates.

     For example, you may want to select specific updates in the following cases: to check their installation in a test environment, to update only critical applications, or to update only specific applications.

     • Automatically install all previous application updates that are required to install the selected updates

       Keep this option enabled if you agree with the installation of interim application versions when this is required for installing the selected updates.

       If this option is disabled, only the selected versions of applications are installed. Disable this option if you want to update applications in a straightforward manner, without attempting to install successive versions incrementally. If installing the selected updates is not possible without installing previous versions of applications, the updating of the application fails.

       For example, you have version 3 of an application installed on a device and you want to update it to version 5, but version 5 of this application can be installed only over version 4. If this option is enabled, the software first installs version 4, and then installs version 5. If this option is disabled, the software fails to update the application.

       By default, this option is enabled.

5. On the Vulnerabilities page, select vulnerabilities that will be fixed by installing the selected updates:
   • Fix all vulnerabilities that match other criteria

     Fix all vulnerabilities that meet the criteria specified on the General criteria page of the Wizard. Selected by default.

   • Fix only vulnerabilities from the list

     Fix only vulnerabilities that you select manually from the list. This list contains all detected vulnerabilities.

     For example, you may want to select specific vulnerabilities in the following cases: to check their fix in a test environment, to fix vulnerabilities only in critical applications, or to fix vulnerabilities only in specific applications.

6. On the Name page, specify the name for the rule that you are creating. You can later change this name in the Settings section of the properties window of the created task.

After the Rule Creation Wizard completes its operation, the new rule is created and displayed in the Specify rules for installing updates field of the Add Task Wizard.

To create a new rule for updates of Microsoft applications:

1. On the Settings page of the Add Task Wizard, click the Add button.

   The Rule Creation Wizard starts. Follow the steps of the Wizard.

2. On the Rule type page, select Rule for Windows Update.
3. On the General criteria page, specify the following settings:
   • Set of updates to install

     Select the updates that must be installed on client devices:

     • Install approved updates only. This installs only approved updates.
     • Install all updates (except declined). This installs updates with the Approved or Undefined approval status.
     • Install all updates (including declined). This installs all updates, regardless of their approval status. Select this option with caution. For example, use this option if you want to check installation of some declined updates in a test infrastructure.
   • Fix vulnerabilities with a severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

   • Fix vulnerabilities with an MSRC severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Microsoft Security Response Center (MSRC) is equal to or higher than the value selected in the list (Low, Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

4. On the Applications page, select the applications and application versions for which you want to install updates. By default, all applications are selected.
5. On the Categories of updates page, select the categories of updates to be installed. These categories are the same as in Microsoft Update Catalog. By default, all categories are selected.
6. On the Name page, specify the name for the rule that you are creating. You can later change this name in the Settings section of the properties window of the created task.

After the Wizard completes its operation, the new rule is created and displayed in the Specify rules for installing updates field of the Add Task Wizard.

To create a new rule for updates of third-party applications:

1. On the Settings page of the Add Task Wizard, click the Add button.

   The Rule Creation Wizard starts. Follow the steps of the Wizard.

2. On the Rule type page, select Rule for third-party updates.
3. On the General criteria page, specify the following settings:
   • Set of updates to install

     Select the updates that must be installed on client devices:

     • Install approved updates only. This installs only approved updates.
     • Install all updates (except declined). This installs updates with the Approved or Undefined approval status.
     • Install all updates (including declined). This installs all updates, regardless of their approval status. Select this option with caution. For example, use this option if you want to check installation of some declined updates in a test infrastructure.
   • Fix vulnerabilities with a severity level equal to or higher than

     Sometimes software updates may impair the user experience with the software. In such cases, you may decide to install only those updates that are critical for the software operation and to skip other updates.

     If this option is enabled, the updates fix only those vulnerabilities for which the severity level set by Kaspersky is equal to or higher than the value selected in the list (Medium, High, or Critical). Vulnerabilities with a severity level lower than the selected value are not fixed.

     If this option is disabled, the updates fix all vulnerabilities regardless of their severity level.

     By default, this option is disabled.

4. On the Applications page, select the applications and application versions for which you want to install updates. By default, all applications are selected.
5. On the Name page, specify the name for the rule that you are creating. You can later change this name in the Settings section of the properties window of the created task.

After the Wizard completes its operation, the new rule is created and displayed in the Specify rules for installing updates field of the Add Task Wizard.

Groups of applications

This section describes how to manage groups of applications installed on devices.

Creating application categories

Kaspersky Security Center allows you to create categories of applications installed on devices.

Application categories can be created in one of the following ways:

• The administrator specifies a folder in which executable files have been included in the selected category.
• The administrator specifies a device from which executable files are to be included in the selected category.
• The administrator sets criteria to be used to include applications in the selected category.

When an application category is created, the administrator can set rules for the application category. Rules define the behavior of applications included in the specified category. For example, you can block or allow startup of applications included in the category.

Managing applications run on devices

Kaspersky Security Center allows you to manage startup of applications on devices in Allowlist mode. For detailed description see Kaspersky Endpoint Security for Windows Online Help. While in Allowlist mode, on selected devices you can only start applications included in the specified categories. The administrator can view results of static analysis applied to rules of applications run on devices for each user.

Inventory of software installed on devices

Kaspersky Security Center allows you to perform inventory of software on devices running Windows. Network Agent retrieves information about all applications installed on devices. Information retrieved during inventory is displayed in the workspace of the Applications registry folder. The administrator can view detailed information about any application, including its version and manufacturer.

The number of executable files received from a single device cannot exceed 150,000. Having reached this limit, Kaspersky Security Center cannot receive any new files.

Licensed applications group management

Kaspersky Security Center allows you to create licensed applications groups. A licensed applications group includes applications that meet criteria set by the administrator. The administrator can specify the following criteria for licensed applications groups:

• Application name
• Application version
• Manufacturer
• Application tag

Applications that meet one or several criteria are automatically included in a group. To create a licensed applications group, you must set at least one criterion for including applications in this group.

Each licensed applications group has its own license key. The license key of a licensed applications group defines the maximum allowed number of installations for applications included in this group. If the number of installations has exceeded the limit set by the license key, an informational event is logged on Administration Server. The administrator can specify an expiration date for the license key. When this date arrives, an informational event is logged on Administration Server.

Viewing information about executable files

Kaspersky Security Center retrieves all information about executable files that have been run on devices since the operating system was installed on them. Information about executable files is displayed in the main application window, in the workspace of the Executable files folder.

Scenario: Application Management

You can manage applications startup on user devices. You can allow or block applications to be run on managed devices. This functionality is realized by the Application Control component. You can manage applications installed on Windows devices.

Prerequisites

• Kaspersky Security Center is deployed in your organization.
• The Kaspersky Endpoint Security for Windows policy is created and is active.

Stages

The Application Control usage scenario proceeds in stages:

1. Forming and viewing the list of applications on client devices

   This stage helps you find out what applications are installed on managed devices. You can view the list of applications and decide which applications you want to allow and which you want to prohibit, according to your organization's security policies. The restrictions can be related to the information security polices in your organization. You can skip this stage if you know exactly what applications are installed on managed devices.

   How-to instructions:

   • Administration Console: Viewing application registry
   • Kaspersky Security Center 13.1 Web Console: Obtaining and viewing a list of applications installed on client devices
2. Forming and viewing the list of executable files on client devices

   This stage helps you find out what executable files are found on managed devices. View the list of executable files and compare it with the lists of allowed and prohibited executable files. The restrictions on executable files usage can be related to the information security polices in your organization. You can skip this stage if you know exactly what executable files are installed on managed devices.

   How-to instructions:

   • Administration Console: Inventory of executable files
   • Kaspersky Security Center 13.1 Web Console: Obtaining and viewing a list of executable files stored on client devices
3. Creating application categories for the applications used in your organization

   Analyze the lists of applications and executable files stored on managed devices. Basing on the analysis, create application categories. It is recommended to create a "Work applications" category that covers the standard set of applications that are used at your organization. If different user groups use different sets of applications in their work, a separate application category can be created for each user group.

   Depending the set of criteria to create an application category, you can create application categories of three types.

   How-to instructions:

   • Administration Console: Creating application categories for Kaspersky Endpoint Security for Windows policies, Creating an application category with content added manually, Creating an application category with content added automatically
   • Kaspersky Security Center 13.1 Web Console: Creating application category with content added manually, Creating application category that includes executable files from selected devices, Creating application category that includes executable files from selected folder
4. Configuring Application Control in the Kaspersky Endpoint Security for Windows policy

   Configure the Application Control component in the Kaspersky Endpoint Security for Windows policy using the application categories you have created on the previous stage.

   How-to instructions:

   • Administration Console: Configuring application startup management on client devices
   • Kaspersky Security Center 13.1 Web Console: Configuring Application Control in the Kaspersky Endpoint Security for Windows policy
5. Turning on Application Control component in test mode

   To ensure that Application Control rules do not block applications required for user's work, it is recommended to enable testing of Application Control rules and analyze their operation after creating new rules. When testing is enabled, Kaspersky Endpoint Security for Windows will not block applications whose startup is forbidden by Application Control rules, but will instead send notifications about their startup to the Administration Server.

   When testing Application Control rules, it is recommended to perform the following actions:

   • Determine the testing period. Testing period can vary from several days to two months.
   • Examine the events resulting from testing the operation of Application Control.

   How-to instructions for Kaspersky Security Center 13.1 Web Console: Configuring Application Control component in the Kaspersky Endpoint Security for Windows policy. Follow this instruction and enable the Test Mode option in configuration process.

6. Changing the application categories settings of Application Control component

   If necessary, make changes to the Application Control settings. Based on the test results, you can add executable files related to events of the Application Control component to an application category with content added manually.

   How-to instructions:

   • Administration Console: Adding event-related executable files to the application category
   • Kaspersky Security Center 13.1 Web Console: Adding event-related executable files to the application category
7. Applying the rules of Application Control in operation mode

   After Application Control rules are tested and configuration of application categories is complete, you can apply the rules of Application Control in operation mode.

   How-to instructions for Kaspersky Security Center 13.1 Web Console: Configuring Application Control component in the Kaspersky Endpoint Security for Windows policy. Follow this instruction and disable the Test Mode option in configuration process.

8. Verifying Application Control configuration

   Be sure that you have done the following:

   • Created application categories.
   • Configured Application Control using the application categories.
   • Applied the rules of Application Control in operation mode.

Results

When the scenario is complete, applications startup on managed devices is controlled. The users can start only those applications that are allowed in your organization and cannot start applications that are prohibited in your organization.

For detailed information about Application Control, refer to Kaspersky Endpoint Security for Windows Online Help and to the Kaspersky Security for Virtualization Light Agent.

Creating application categories for Kaspersky Endpoint Security for Windows policies

You can create application categories for Kaspersky Endpoint Security for Windows policies from the Application categories folder and from the Properties window of a Kaspersky Endpoint Security for Windows policy.

To create an application category for a Kaspersky Endpoint Security policy from the Application categories folder:

1. In the console tree, select Advanced → Application management → Application categories.
2. In the workspace of the Application categories folder, click the New category button.

   The New Category Wizard starts.

3. On the Category type page, select the type of user category:
   • Category with content added manually. Specify the criteria that will be used to assign executable files to the category that is being created.
   • Category that includes executable files from selected devices. Specify a device whose executable files must be automatically assigned to the category.
   • Category that includes executable files from a specific folder. Specify a folder whose executable files must be automatically assigned to the category.
4. Follow the instructions of the Wizard.

When the Wizard finishes, a custom application category is created. You can view newly created categories by using the list of categories in the workspace of the Application categories folder.

You can also create an application category from the Policies folder.

To create an application category from the Properties window of a Kaspersky Endpoint Security for Windows policy:

1. In the console tree, select the Policies folder.
2. In the workspace of the Policies folder, select a Kaspersky Endpoint Security policy for which you want to create a category.
3. Right-click and select Properties.
4. In the Properties window that opens, in the left Sections pane select Security Controls → Application control.
5. In the Application control section, in the Control mode and Action drop-down lists make selections for the Allowlist or Denylist, and then click the Add button.

   The Application Control rule window containing a list of categories opens.

6. Click the Create new button.
7. Enter the name of the new category and click OK.

   The New Category Wizard starts.

8. On the Category type page, select the type of user category:
   • Category with content added manually. Specify the criteria that will be used to assign executable files to the category that is being created.
   • Category that includes executable files from selected devices. Specify a device whose executable files must be automatically assigned to the category.
   • Category that includes executable files from a specific folder. Specify a folder whose executable files must be automatically assigned to the category.
9. Follow the instructions of the Wizard.

When the Wizard finishes, a custom application category is created. You can view newly created categories in the list of categories.

Application categories are used by the Application Control component included in Kaspersky Endpoint Security for Windows. Application Control allows the administrator to impose restrictions on the startup of applications on client devices—for example, restricting the startups to applications in a specified category.

Creating an application category with content added manually

Expand all | Collapse all

To create an application category with content added manually:

1. In the console tree, in the Advanced → Application management folder select the Application categories subfolder.
2. Click the New category button.

   The New Category Wizard starts. Proceed through the wizard by using the Next button.

3. On the Category type wizard page, select Category with content added manually as the user category type.
4. On the Enter the application category name wizard page, enter the new application category name.
5. On the Configuring conditions for inclusion of applications in categories page, click the Add button.
6. In the drop-down list, specify the relevant settings:
   • From the list of executable files

     If this option is selected, you can use the list of executable files on the client device to select and add applications to the category.

   • From file properties

     If this option is selected, you can specify the detailed data for the executable files that will be added to the user application category.

   • Metadata from files in folder

     Specify a folder on the client device that contains executable files. The metadata in the executable files that are included in the specified folder will be sent to Administration Server. Executable files that contain the same metadata will be added to the user application category.

   • Checksums of the files in the folder

     If this option is selected, you can select or create a folder on the client device. The MD5 hash of the files in a specified folder will be sent to Administration Server. The applications that have the same hash as the files in the specified folder are added to the user application category.

   • Certificates for the files from the folder

     If this option is selected, you can specify the folder on the client device, which contains executable files signed with certificates. Certificates of executable files are read and added to the category's conditions. Executable files that have been signed in accordance with the specified certificates will be added to the user category.

   • MSI installer files metadata

     If this option is selected, you can specify an MSI installer file as the condition of adding applications to the user category. The application installer metadata will be sent to Administration Server. The applications for which the installer metadata is the same as for the specified MSI installer are added to the user application category.

   • Checksums of the files from the MSI installer of the application

     If this option is selected, you can specify an MSI installer file as the condition of adding applications to the user category. The hash of the application installer files will be sent to Administration Server. The applications for which the hash of MSI installer files is identical to the specified hash are added to the user application category.

   • From KL category

     If this option is selected, you can specify a Kaspersky application category as the condition of adding applications to the user category. The applications from the specified Kaspersky category will be added to the user application category.

   • Specify path to application (masks supported)

     If this option is selected, you can specify the path to the folder on the client device containing the executable files that are to be added to the user application category.

   • Select certificate from repository

     If this option is selected, you can specify certificates from the storage. Executable files that have been signed in accordance with the specified certificates will be added to the user category.

   • Drive type

     If this option is selected, you can specify the type of the medium (any drive or removable drive) on which the application is run. Applications that have been run on the selected drive type are added to the user application category.

7. On the Creating the application category wizard page, click the Finish button.

   Kaspersky Security Center only handles metadata from digitally signed files. No category can be created on the basis of metadata from files that do not contain a digital signature.

When the Wizard has completed, a user application category is created, with content added manually. You can view the newly created category using the list of categories in the workspace of the Application categories folder.

Creating an application category with content added automatically

Expand all | Collapse all

To create an application category with content added automatically:

1. In the console tree, in the Advanced → Application management folder select the Application categories subfolder.
2. Click the New category button to start the New Category Wizard.

   In the Wizard window, select Category with content added automatically as the user category type.

3. In the Repository folder window, specify the relevant settings:
   • Path to folder for automatic category content addition

     In this field, specify the path to the folder in which Administration Server will regularly search for executable files. The path to this folder is specified when the category is created. The path to this folder cannot be changed.

   • Include dynamic-link libraries (DLL) in this category

     The application category includes dynamic-link libraries (files in DLL format), and the Application Control component logs the actions of such libraries running in the system. Including DLL files in the category may lower the performance of Kaspersky Security Center.

     By default, this check box is cleared.

   • Include script data in this category

     The application category includes data on scripts, and scripts are not blocked by Web Threat Protection. Including the script data in the category may lower the performance of Kaspersky Security Center.

     By default, this check box is cleared.

   • Hash value computing algorithm

     Depending on the version of the security application installed on devices on your network, you must select an algorithm for hash value computing by Kaspersky Security Center for files in this category. Information about computed hash values is stored in the Administration Server database. Storage of hash values does not increase the database size significantly.

     SHA-256 is a cryptographic hash function: no vulnerabilities have been found in its algorithm, and so it is considered the most reliable cryptographic function nowadays. Kaspersky Endpoint Security 10 Service Pack 2 for Windows and later versions support SHA-256 computing. Computing of the MD5 hash function is supported by all versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows.

     Select either of the options of hash value computing by Kaspersky Security Center for files in the category:

     • If all instances of security applications installed on your network are Kaspersky Endpoint Security 10 Service Pack 2 for Windows or later versions, select the SHA-256 check box. We do not recommend that you add any categories created according to the criterion of the SHA-256 hash of an executable file for versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows. This may result in failures in the security application operation. In this case, you can use the MD5 cryptographic hash function for files of the category.
     • If any versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows are installed on your network, select the MD5 hash. You cannot add a category that was created based on the criterion of the MD5 checksum of an executable file for Kaspersky Endpoint Security 10 Service Pack 2 for Windows or later versions. In this case, you can use the SHA-256 cryptographic hash function for files of the category.

     If different devices on your network use both earlier and later versions of Kaspersky Endpoint Security 10, select both the SHA-256 check box and the MD5 hash check box.

     The Calculate SHA-256 for files in this category (supported by Kaspersky Endpoint Security 10 Service Pack 2 for Windows and any later versions) check box is selected by default.

     The Calculate MD5 for files in this category (supported by versions earlier than Kaspersky Endpoint Security 10 Service Pack 2 for Windows) is cleared by default.

   • Force folder scan for changes

     If this option is enabled, the application regularly checks the folder of category content addition for changes. You can specify the frequency of checks (in hours) in the entry field next to the check box. By default, the time interval between forced checks is 24 hours.

     If this option is disabled, the application does not force any checks of the folder. The Server attempts to access files if they have been modified, added, or deleted.

     By default, this option is disabled.

   • Force folder scan for changes

     In this field, you can specify the time interval (in hours) after which the application starts a forced check for changes to the folder of automatic category content addition. By default, the time interval between forced checks is 24 hours. This field is available if the Force folder scan for changes check box is selected.

     By default, this check box is cleared.

4. Follow the instructions of the Wizard.

When the Wizard completes, an application category with content added automatically is created. You can view the newly created category using the list of categories in the workspace of the Application categories folder.

Adding event-related executable files to the application category

Expand all | Collapse all

You can add executable files related to the Application startup prohibited and Application startup prohibited in test mode events to an existing application category with content added manually or to a new application category.

To add executable files related to Application Control events to the application category:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Events tab.
3. On the Events tab, select the required events.
4. In the context menu of one of the selected events, select Add to category.
5. In the Action on executable file related to the event window that opens, specify the relevant settings:

   Select one of the following:

   • Add to a new application category

     Select this option if you want to create a new application category.

     Click the OK button to start the Create User Category Wizard. When the Wizard completes, the category with the specified settings is created.

     By default, this option is not selected.

   • Add to an existing application category

     Select this option if you have to add rules to an existing application category. Select the relevant category in the list of application categories.

     This option is selected by default.

   In the Rule type section, select one of the following settings:

   • Add to category

     Select this option if you have to add rules to the conditions of the application category.

     This option is selected by default.

   • Rules for adding to exclusions

     Select this option if you want to add rules to the exclusions of the application category.

   In the File info type section, select one of the following settings:

   • Certificate details (or SHA-256 hashes for files without certificate)

     Files may be signed with a certificate. Multiple files may be signed with the same certificate. For example, different versions of the same application may be signed with the same certificate, or several different applications from the same vendor may be signed with the same certificate. When you select a certificate, several versions of an application or several applications from the same vendor may end up in the category.

     Each file has its own unique SHA-256 hash function. When you select an SHA-256 hash function, only one corresponding file, for example, the defined application version, ends up in the category.

     Select this option if you want to add to the category rules the certificate details of an executable file (or the SHA-256 hash function for files without a certificate).

     By default, this option is selected.

   • Certificate details (files without a certificate will be skipped)

     Files may be signed with a certificate. Multiple files may be signed with the same certificate. For example, different versions of the same application may be signed with the same certificate, or several different applications from the same vendor may be signed with the same certificate. When you select a certificate, several versions of an application or several applications from the same vendor may end up in the category.

     Select this option if you want to add the certificate details of an executable file to the category rules. If the executable file has no certificate, this file will be skipped. No information about this file will be added to the category.

   • Only SHA-256 (files without hash will be skipped)

     Each file has its own unique SHA-256 hash function. When you select an SHA-256 hash function, only one corresponding file, for example, the defined application version, ends up in the category.

     Select this option if you want to add only the details of the SHA-256 hash function of the executable file.

   • Only MD5 (discontinued mode, only for Kaspersky Endpoint Security 10 Service Pack 1 version)

     Each file has its own unique MD5 hash function. When you select an MD5 hash function, only one corresponding file, for example, the defined application version, ends up in the category.

     Select this option if you want to add only the details of the MD5 hash function of the executable file. Computing of the MD5 hash function is supported by Kaspersky Endpoint Security 10 Service Pack 1 for Windows and all earlier versions.

6. Click OK.

Configuring application startup management on client devices

Categorization of applications allows you to optimize management of application runs on devices. You can create an application category and configure Application Control for a policy so only applications from the specified category will be started on devices to which that policy is applied. For example, you have created a category that includes applications named Application_1 and Application_2. After you add this category to a policy, only two applications are allowed to start on devices to which that policy is applied: Application_1 and Application_2. If a user attempts to start an application that has not been included in that category, for example, Application_3, this application is blocked from being started. The user is shown a notification stating that Application_3 is blocked from starting, in accordance with an Application Control rule. You can create a category with content added automatically based on various criteria from a specific folder. In this case, files are automatically added to the category from the specified folder. Executable files of applications are copied to the specified folder and processed automatically; their metrics are added to the category.

To configure the applications run management on client devices:

1. In the Advanced → Application management folder in the console tree, select the Application categories subfolder.
2. In the workspace of the Application categories folder, create a category of applications that you want to manage while they are being started.
3. In the Managed devices folder, on the Policies tab click the New policy button to create a new policy for Kaspersky Endpoint Security for Windows, and follow the instructions of the Wizard.

   If such a policy already exists, you can skip this step. You can configure management of the startup of applications in a specified category through the settings of this policy. The newly created policy is displayed in the Managed devices folder on the Policies tab.

4. Select Properties from the context menu of the policy for Kaspersky Endpoint Security for Windows.

   The properties window of the policy for Kaspersky Endpoint Security for Windows opens.

5. In the properties window of the Kaspersky Endpoint Security for Windows policy, in the Security Controls → Application Control section, select the Application Control check box.
6. Click the Add button.

   The Application Control rule window opens.

7. In the Application Control rule window, in the Category drop-down list select the application category that the startup rule will cover. Configure the startup rule for the selected application category.

   For Kaspersky Endpoint Security 10 Service Pack 2 and later, no categories are displayed if they were created upon the criterion of the MD5 hash of an executable file.

   We do not recommend that you add any categories created according to the criterion of the SHA-256 hash of an executable file for versions earlier than Kaspersky Endpoint Security 10 Service Pack 2. This may result in application failures.

   Detailed instructions on configuring control rules are provided in the Kaspersky Endpoint Security for Windows Online Help.

8. Click OK.

Applications will be run on devices included in the specified category according to the rule that you created. The newly created rule is displayed in the properties window of the Kaspersky Endpoint Security for Windows policy, in the Application Control section.

Viewing the results of static analysis of startup rules applied to executable files

To view information about which executable files are prohibited for users to run:

1. In the Managed devices folder in the console tree, select the Policies tab.
2. Select Properties from the context menu of the policy for Kaspersky Endpoint Security for Windows.

   The properties window of the application policy opens.

3. In the Sections pane, select Security Controls and then select the Application Control subsection.
4. Click the Static analysis button.

   The Analysis of the access rights list window opens. In the left part of the window a user list based on Active Directory data is displayed.

5. Select a user from the list.

   The right part of the window displays categories of applications assigned to this user.

6. To view executable files that the user is not allowed to run, in the Analysis of the access rights list window click the View files button.

   A window opens, displaying a list of prohibited executable files.

7. To view a list of executable files included in a category, select the application category and click the View files in category button.

   A window opens, displaying a list of executable files included in the application category.

Viewing the applications registry

Kaspersky Security Center inventories all software installed on managed devices.

Network Agent compiles a list of applications installed on a device, and then transmits this list to Administration Server. Network Agent automatically receives information about installed applications from the Windows registry.

Retrieval of information about installed applications is only available for devices running Microsoft Windows.

To view the registry of applications installed on client devices,

In the Advanced → Application management folder in the console tree, select the Applications registry subfolder.

The workspace of the Applications registry folder displays a list of applications installed on client devices and the Administration Server.

You can view the details of any application by opening its context menu and selecting Properties. The application properties window displays the application details and information about its executable files, as well as a list of devices on which the application is installed.

In the context menu of any application in the list you can:

• Add this application to an application category.
• Assign a tag to the application.
• Export the list of applications to a CSV file or TXT file.
• View the application properties, for example, vendor name, version number, list of executable files, list of devices on which the application is installed, list of available software updates, or list of detected software vulnerabilities.

To view applications that meet specific criteria, you can use filtering fields in the workspace of the Applications registry folder.

In the properties window of the selected device, in the Applications registry section, you can view the list of applications installed on the device.

Generating a report on installed applications

In the Applications registry workspace, you can also click the View report on installed applications button to generate a report containing detailed statistics on the installed applications, including the number of devices on which each application is installed. This report, which opens on the Report on Installed applications page, contains information about both the Kaspersky applications and third-party software. If you want information only on Kaspersky applications installed on client devices, in the Summary list, select AO Kaspersky Lab.

Information about Kaspersky applications and third-party software installed on devices that are connected to secondary and virtual Administration Servers is also stored in the applications registry of the primary Administration Server. After you add data from secondary and virtual Administration Servers, click the View report on installed applications button, and on the Report on installed applications page that opens, you can view this information.

To add information from secondary and virtual Administration Servers to the report on installed applications:

1. In the console tree, select the node with the name of the required Administration Server.
2. In the workspace of the node, select the Reports tab.
3. On the Reports tab, select Report on installed applications.
4. Select Properties from the context menu of the report.

   The Properties: Report on installed applications window opens.

5. In the Hierarchy of Administration Servers section, select the Include data from secondary and virtual Administration Servers check box.
6. Click OK.

Information from secondary and virtual Administration Servers will be included in the Report on installed applications.

Changing the software inventory start time

Kaspersky Security Center inventories all software installed on managed client devices running Windows.

Network Agent compiles a list of applications installed on a device, and then transmits this list to Administration Server. Network Agent automatically receives information about installed applications from the Windows registry.

To save the device resources, Network Agent by default starts receiving information about installed applications 10 minutes after the Network Agent service starts.

To change the software inventory start time, which elapses after the Network Agent service runs on a device:

1. Open the system registry of the device on which Network Agent is installed (for example, locally, using the regedit command in the Start → Run menu).
2. Go to the following hive:
   • For 32-bit systems:

     HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1103\1.0.0.0\NagentFlags

   • For 64-bit systems:

     HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1103\1.0.0.0\NagentFlags

3. For the KLINV_INV_COLLECTOR_START_DELAY_SEC key, set the required value in seconds.

   The default value is 600 seconds.

4. Restart the Network Agent service.

The software inventory start time, which elapses after the Network Agent service runs, is changed.

About license key management of third-party applications

Kaspersky Security Center allows you to track license key usage for third-party applications installed on the managed devices. The list of applications for which you can track license key usage is taken from the applications registry. For each license key, you can specify and track violation of the following restrictions:

• Maximum number of devices on which the application using this license key can be installed
• Expiration date of the license key

Kaspersky Security Center does not check whether or not you specify a real license key. You can only track the restrictions that you specify. If one of the restrictions that you impose on a license key is violated, Administration Server registers an informational, warning, or functional failure event.

License keys are bound to applications groups. An applications group is a group of third-party applications that you combine on a basis of a criterion or several criteria. You can define applications by the name of the application, its version, vendor, and tag. An application is added to the group if at least one of the criteria is met. To each applications group, you can bind several license keys, but each license key can be bound to a single applications group only.

One more tool that you can use to track license key usage is Report on status of licensed applications groups. This report provides information about the current status of licensed applications groups, including:

• Number of installations of license keys on each applications group
• Number of license keys in use and vacant license keys
• Detailed list of licensed applications installed on managed devices

The tools for license key management of third-party applications are located in the Third-party licenses usage subfolder (Advanced → Application management → Third-party licenses usage). In this subfolder, you can create applications groups, add license keys, and generate the Report on statuses on licensed application groups.

The tools for license key management of third-party applications are available only if you enabled Vulnerability and Patch Management option in the Configure interface window.

Creating licensed applications groups

Expand all | Collapse all

To create a licensed applications group:

1. In the Advanced → Application management folder in the console tree, select the Third-party licenses usage subfolder.
2. Click the Add a licensed applications group button to run Licensed Application Group Addition Wizard.

   Licensed Application Group Addition Wizard starts.

3. On the Details of licensed applications group step, specify which applications you want to include into the applications group:
   • Name of licensed applications group
   • Track violated restrictions

     If one of the restrictions that you impose on a license key of the applications group is violated, Administration Server registers an informational, warning, or functional failure event:

     • Informational event: Limit of installations will soon be exceeded (more than 95% is used up) for one of the licensed applications groups
     • Warning event: Limit of installations will soon be exceeded for one of the licensed applications groups
     • Functional failure event: Limit of installations has been exceeded for one of the licensed applications groups

       An event is registered only once, when the stated condition is met. Next time, the same event can be registered only when the number of installations is returned to a normal level, and then the event happens again. An event cannot be registered more than once per hour.

   • Criteria for adding detected applications to this licensed applications group

     Specify criteria to define which applications you want to include into the applications group. You can define applications by the name of the application, its version, vendor, and tag. You must specify at least one criterion. An application is added to the group if at least one of the criteria is met.

4. On the Enter data about existing license keys step, specify the license keys that you want to track. Select the Control if license limit is exceeded option, and then add the license keys:
   1. Click the Add button.
   2. Select the license key that you want to add, and then click the OK button. If the required license key is not listed, click the Add button, and then specify the license key properties.
5. On the Add licensed applications group step, click the Finish button.

A licensed applications group is created and displayed in the Third-party licenses usage folder.

Managing license keys for licensed applications groups

To create a license key for a licensed applications group:

1. In the Advanced → Application management folder in the console tree, select the Third-party licenses usage subfolder.
2. In the workspace of the Third-party licenses usage folder, click the Manage license keys of licensed applications button.

   The License Key Management in licensed applications window opens.

3. In the License Key Management in licensed applications window, click the Add button.

   The License key window opens.

4. In the License key window, specify the properties of the license key and restrictions that the license key imposes on the licensed applications group.
   • Name. The name of the license key.
   • Comment. Notes on the selected license key.
   • Restriction. The number of devices on which the application using this license key can be installed.
   • Expires. The expiration date of the license key.

Created license keys are displayed in the License Key Management in licensed applications window.

To apply a license key to a licensed applications group:

1. In the Advanced → Application management folder in the console tree, select the Third-party licenses usage subfolder.
2. In the Third-party licenses usage folder, select a licensed applications group to which you want to apply a license key.
3. Select Properties from the context menu of the licensed applications group.

   This opens the properties window of the licensed applications group.

4. In the properties window of the licensed applications group, in the License keys section, select Control if license limit is exceeded.
5. Click the Add button.

   The Selecting a license key window opens.

6. In the Selecting a license key window, select a license key that you want to apply to a licensed applications group.
7. Click OK.

Restrictions imposed on a licensed applications group and specified in the license key will also apply to the selected licensed applications group.

Inventory of executable files

You can use an inventory task to inventory executable files on client devices. Kaspersky Endpoint Security for Windows provides the feature of inventorying executable files.

The number of executable files received from a single device cannot exceed 150,000. Having reached this limit, Kaspersky Security Center cannot receive any new files.

You can reduce load on the database while obtaining information about the installed applications. To do this, we recommend that you run an inventory task on reference devices on which a standard set of software is installed.

Before you begin, enable notifications about the applications startup in the Kaspersky Endpoint Security policy and the Network Agent policy, so you can transfer data to Administration Server.

To enable notifications about applications startup:

• Open the Kaspersky Endpoint Security policy settings and do the following:
  1. Go to General settings → Reports and Storage.
  2. In the Data transfer to Administration Server section, select the About started applications check box.
  3. Save your changes.
• Open the Network Agent policy settings and do the following:
  1. Go to the Repositories section.
  2. Select the Details of installed applications check box.
  3. Save your changes.

To create an inventory task for executable files on client devices:

1. In the console tree, select the Tasks folder.
2. Click the New task button in the workspace of the Tasks folder.

   The Add Task Wizard starts.

3. In the Select the task type window of the Wizard, select Kaspersky Endpoint Security as the task type, and then select Inventory as the task subtype, and click Next.
4. Follow the rest of the Wizard instructions.

After the Wizard is done, an inventory task for Kaspersky Endpoint Security is created. The newly created task is displayed in the list of tasks in the workspace of the Tasks folder.

A list of executable files that have been detected on devices during inventory is displayed in the workspace of the Executable files folder.

During inventory, the application detects executable files of the following formats: MZ, COM, PE, NE, SYS, CMD, BAT, PS1, JS, VBS, REG, MSI, CPL, DLL, JAR, and HTML files.

Viewing information about executable files

To view a list of all executable files detected on client devices,

In the Application management folder of the console tree, select the Executable files subfolder.

The workspace of the Executable files folder displays a list of executable files that have been run on devices since the installation of the operating system or have been detected while running the inventory task of Kaspersky Endpoint Security for Windows.

To view details of executable files that match specific criteria, you can use filtering.

To view the properties of an executable file,

From the context menu of the file, select Properties.

A window opens displaying information about the executable file and a list of devices on which this executable file can be found.