Local installation of applications

This section provides an installation procedure for applications that can be installed on local devices only.

To perform local installation of applications on a specific client device, you must have administrator rights on this device.

To install applications locally on a specific client device:

1. Install Network Agent on the client device and configure the connection between the client device and Administration Server.
2. Install the requisite applications on the device as described in the guides of these applications.
3. Install a management plug-in for each of the installed applications on the administrator's workstation.

Kaspersky Security Center also supports the option of local installation of applications using a stand-alone installation package. Kaspersky Security Center does not support installation of all Kaspersky applications.

Local installation of Network Agent

To install Network Agent on a device locally:

1. On the device, run the setup.exe file from the distribution package downloaded from the internet.

   A window opens prompting you to select Kaspersky applications to install.

2. In the application selection window, click the Install only Kaspersky Security Center 13.1 Network Agent link to start the Network Agent Setup Wizard. Follow the instructions of the Wizard.

   While the Installation Wizard is running, you can specify the advanced settings of Network Agent (see below).

3. If you want to use your device as the connection gateway for a specific administration group, in the Connection gateway window of the Setup Wizard select Use Network Agent as a connection gateway in DMZ.
4. To configure Network Agent during installation on a virtual machine:
   1. If you plan to create dynamic virtual machines from the virtual machine image, enable dynamic mode of Network Agent for Virtual Desktop Infrastructure (VDI). To do this, in the Advanced Settings window of the Setup Wizard, select the Enable dynamic mode for VDI option. 

      Skip this step if you do not plan to create dynamic virtual machines from the virtual machine image.

   2. Optimize the Network Agent operation for VDI. To do this, in the Advanced Settings window of the Setup Wizard, select the Optimize the Kaspersky Security Center Network Agent settings for the virtual infrastructure option.

      Scanning of executable files for vulnerabilities at the device startup will be disabled. Also, this disables the sending of information about the following objects to Administration Server:

      • Hardware registry
      • Applications installed on the device
      • Microsoft Windows updates that must be installed on the local client device
      • Software vulnerabilities detected on the local client device

      Furthermore, you will be able to enable the sending of this information in the Network Agent properties or in the Network Agent policy settings.

When the Setup Wizard finishes, Network Agent will be installed on the device.

You can view the properties of the Kaspersky Security Center Network Agent service; you can also start, stop, and monitor Network Agent activity by means of standard Microsoft Windows tools: Computer Management\Services.

Installing Network Agent in non-interactive (silent) mode

Network Agent can be installed in non-interactive mode, that is, without the interactive input of installation parameters. Non-interactive installation uses a Windows Installer package (MSI) for Network Agent. The MSI file is located in the Kaspersky Security Center distribution package, in the Packages\NetAgent\exec folder.

To install Network Agent on a local device in non-interactive mode:

1. Read the End User License Agreement. Use the command below only if you understand and accept the terms of the End User License Agreement.
2. Run the command

   msiexec /i "Kaspersky Network Agent.msi" /qn <setup_parameters>

   where setup_parameters is a list of parameters and their respective values, separated by a space (PROP1=PROP1VAL PROP2=PROP2VAL).

   In the list of parameters, you must include EULA=1. Otherwise Network Agent will not be installed.

If you are using the standard connection settings for Kaspersky Security Center 11 and later, and Network Agent on remote devices, run the command:

/l*vx is the key for writing logs. The log is created during the installation of Network Agent and saved at C:\windows\temp\nag_inst.log.

In addition to nag_inst.log, the application creates the $klssinstlib.log file, which contains the installation log. This file is stored in the %windir%\temp or %temp% folder. For troubleshooting purposes, you or a Kaspersky Technical Support specialist may need both log files—nag_inst.log and $klssinstlib.log.

If you need to additionally specify the port for connection to the Administration Server run the command:

The parameter SERVERPORT corresponds to the number of port for connection to Administration Server.

The names and possible values for parameters that can be used when installing Network Agent in non-interactive mode are listed in the Network Agent installation parameters section.

Installing Network Agent for Linux in silent mode (with an answer file)

You can install Network Agent on Linux devices by using an answer file—a text file that contains a custom set of installation parameters: variables and their respective values. Using this answer file allows you to run an installation in the silent (non-interactive) mode, that is, without user participation.

To perform installation of Network Agent for Linux in silent mode:

1. Prepare the relevant Linux device for remote installation. Download and create the remote installation package, by using a .deb or .rpm package of Network Agent, by means of any suitable package management system.
2. Read the End User License Agreement. Follow the steps below only if you understand and accept the terms of the End User License Agreement.
3. Set the value of the KLAUTOANSWERS environment variable by entering the full name of the answer file (including the path), for example, as follows:

   export KLAUTOANSWERS=/tmp/nagent_install/answers.txt

4. Create the answer file (in TXT format) in the directory that you have specified in the environment variable. Add to the answer file a list of variables in the VARIABLE_NAME=variable_value format, each variable on a separate line.

   For correct usage of the answer file, you must include in it a minimum set of the three required variables:

   • KLNAGENT_SERVER
   • KLNAGENT_AUTOINSTALL
   • EULA_ACCEPTED

   You can also add any optional variables to use more specific parameters of your remote installation. The following table lists all of the variables that can be included in the answer file:

   Variables of the answer file used as parameters of Network Agent for Linux installation in silent mode

   Variables of the answer file used as parameters of Network Agent for Linux installation in silent mode

   Variable name	Required	Description	Possible values
   KLNAGENT_SERVER	Yes	Contains the Administration Server name presented as fully qualified domain name (FQDN) or IP address.	DNS name or IP address.
   KLNAGENT_AUTOINSTALL	Yes	Defines whether silent (non-interactive) installation mode is enabled.	1—Silent mode is enabled; the user is not prompted for any actions during installation. Other—Silent mode is disabled; the user may be prompted for actions during installation.
   EULA_ACCEPTED	Yes	Defines whether the user accepts the End User License Agreement (EULA) of Network Agent; when missing, can be interpreted as non-acceptance of the EULA.	1—I confirm that I have fully read, understand, and accept the terms and conditions of this End User License Agreement. Other or not specified—I do not accept the terms of the License Agreement (installation is not performed).
   KLNAGENT_PROXY_USE	No	Defines whether connection with the Administration Server will use proxy settings. The default value is 0.	1—Proxy settings are used. Other—Proxy settings are not used.
   KLNAGENT_PROXY_ADDR	No	Defines the address of the proxy server used for connection with the Administration Server.	DNS name or IP address.
   KLNAGENT_PROXY_LOGIN	No	Defines the user name used for login to the proxy server.	Any existing user name.
   KLNAGENT_PROXY_PASSWORD	No	Defines the user password used for login to the proxy server.	Any set of alphanumeric characters allowed by the password format in the operating system.
   KLNAGENT_VM_VDI	No	Defines whether Network Agent is installed on an image for creation of dynamic virtual machines.	1—Network Agent is installed on an image, which is subsequently used for creation of dynamic virtual machines. Other—No image is used during installation.
   KLNAGENT_VM_OPTIMIZE	No	Defines whether the Network Agent settings are optimal for hypervisor.	1—The default local settings of Network Agent are modified so that they allow optimized usage on hypervisor.
   KLNAGENT_TAGS	No	Lists the tags assigned to the Network Agent instance.	One or multiple tag names separated with semicolon.
   KLNAGENT_UDP_PORT	No	Defines the UDP port used by Network Agent. The default value is 15000.	Any existing port number.
   KLNAGENT_PORT	No	Defines the non-TLS port used by Network Agent. The default value is 14000.	Any existing port number.
   KLNAGENT_SSLPORT	No	Defines the TLS port used by Network Agent. The default value is 13000.	Any existing port number.
   KLNAGENT_USESSL	No	Defines whether Transport Layer Security (TLS) is used for connection.	1 (default)—TLS is used. Other—TLS is not used.
   KLNAGENT_GW_MODE	No	Defines whether connection gateway is used.	1 (default)—The current settings are not modified (at the first call, no connection gateway is specified). 2—No connection gateway is used. 3—Connection gateway is used. 4—The Network Agent instance is used as connection gateway in demilitarized zone (DMZ).
   KLNAGENT_GW_ADDRESS	No	Defines the address of the connection gateway. The value is applicable only if KLNAGENT_GW_MODE=3.	DNS name or IP address.

5. Install Network Agent:
   • To install Network Agent from an RPM package to a 32-bit operating system, execute the following command:
     # rpm -i klnagent-<build number>.i386.rpm
   • To install Network Agent from an RPM package to a 64-bit operating system, execute the following command:
     # rpm -i klnagent64-<build number>.x86_64.rpm
   • To install Network Agent from an RPM package on a 64-bit operating system for the Arm architecture, execute the following command:
     # rpm -i klnagent64-<build number>.aarch64.rpm
   • To install Network Agent from a DEB package to a 32-bit operating system, execute the following command:
     # apt-get install ./klnagent_<build number>_i386.deb
   • To install Network Agent from a DEB package to a 64-bit operating system, execute the following command:
     # apt-get install ./klnagent64_<build number>_amd64.deb
   • To install Network Agent from a DEB package on a 64-bit operating system for the Arm architecture, execute the following command:
     # apt-get install ./klnagent64_<build number>_arm64.deb

Installation of Network Agent for Linux starts in silent mode; the user is not prompted for any actions during the process.

Local installation of the application management plug-in

To install the application management plug-in:

On a device with Administration Console installed, run the klcfginst.exe executable file, which is included in the application distribution package.

The klcfginst.exe file is included in all applications that can be managed through Kaspersky Security Center. Installation is facilitated by the Wizard and requires no manual configuration of settings.

Installing applications in non-interactive mode

To install an application in non-interactive mode:

1. Open the main window of Kaspersky Security Center.
2. In the Remote installation folder of the console tree, in the Installation packages subfolder select the installation package of the relevant application or create a new one for that application.

   The installation package will be stored on the Administration Server in the Packages service folder that is in the shared folder. A separate subfolder corresponds to each installation package.

3. Open the folder storing the required installation package in one of the following ways:
   • By copying the folder corresponding to the relevant installation package from the Administration Server to the client device. Then open the copied folder on the client device.
   • By opening from the client device the shared folder that corresponds to the requisite installation package on the Administration Server.

   If the shared folder is located on a device that has Microsoft Windows Vista installed, you must set the Disabled value for the User account control: Run all administrators in Admin Approval Mode setting (Start → Control Panel → Administration → Local security policy → Security settings).

4. Depending on the selected application, do the following:
   • For Kaspersky Anti-Virus for Windows Workstations, Kaspersky Anti-Virus for Windows Servers, and Kaspersky Security Center, navigate to the exec subfolder and run the executable file (the file with the .exe extension) with the /s key.
   • For other Kaspersky applications, run the executable file (a file with the .exe extension) with the /s key from the open folder.

   Running the executable file with the EULA=1 and PRIVACYPOLICY=1 keys means that you have fully read, understand and accept the terms of the End User License Agreement and the Privacy Policy, respectively. You are also aware that your data will be handled and transmitted (including to third countries) as described in the Privacy Policy. The text of the License Agreement and the Privacy Policy is included in the Kaspersky Security Center distribution kit. Accepting the terms of the License Agreement and the Privacy Policy is necessary for installing the application or upgrading a previous version of the application.

Installing applications by using stand-alone packages

Kaspersky Security Center lets you create stand-alone installation packages for applications. A stand-alone installation package is an executable file that can be located on the Web Server, sent by email, or transferred to a client device by another method. The received file can be run locally on the client device to install an application without involving Kaspersky Security Center.

To install an application using a stand-alone installation package:

1. Connect to the necessary Administration Server.
2. In the Remote installation folder of the console tree, select the Installation packages subfolder.
3. In the workspace, select the installation package of the required application.
4. Start the process of creating a stand-alone installation package in one of the following ways:
   • By selecting Create stand-alone installation package in the context menu of the installation package.
   • By clicking the Create stand-alone installation package link in the workspace of the installation package.

   The Stand-alone Installation Package Creation Wizard starts. Follow the instructions of the Wizard.

   At the final step of the Wizard, select a method for transferring the stand-alone installation package to the client device.

5. Transfer the stand-alone installation package to the client device.
6. Run the stand-alone installation package on the client device.

The application is now installed on the client device with the settings specified in the stand-alone package.

When you create a stand-alone installation package, it is automatically published on Web Server. The link for downloading the stand-alone package is displayed in the list of created stand-alone installation packages. If necessary, you can cancel publication of the selected stand-alone package and republish it on the Web Server. By default, port 8060 is used for downloading stand-alone installation packages.

Network Agent installation package settings

Expand all | Collapse all

To configure a Network Agent installation package:

1. In the Remote installation folder of the console tree, select the Installation packages subfolder.

   The Remote installation folder is a subfolder of the Advanced folder by default.

2. In the context menu of the Network Agent installation package, select Properties.

The Network Agent installation package properties window opens.

General

The General section displays general information about the installation package:

• Installation package name
• Name and version of the application for which the installation package has been created
• Installation package size
• Installation package creation date
• Path to the installation package folder

Settings

This section presents the settings required to ensure proper functioning of Network Agent immediately after it is installed. The settings in this section are available only on devices running Windows.

In the Destination folder group of settings, you can select the client device folder in which Network Agent will be installed.

• Install in default folder

  If this option is selected, Network Agent will be installed in the <Drive>:\Program Files\Kaspersky Lab\NetworkAgent folder. If this folder does not exist, it will be created automatically.

  By default, this option is selected.

• Install in specified folder

  If this option is selected, Network Agent will be installed in the folder specified in the entry field.

In the following group of settings, you can set a password for the Network Agent remote uninstallation task:

• Use uninstallation password

  If this option is enabled, by clicking the Modify button you can enter the uninstall password (only available for Network Agent on devices running Windows operating systems).

  By default, this option is disabled.

• Status

  Status of the password: Password set or Password not set.

  By default, this password is not installed.

• Protect Network Agent service against unauthorized removal or termination, and to prevent changes to the settings

  After Network Agent is installed on a managed device, the component cannot be removed or reconfigured without required privileges. The Network Agent service cannot be stopped.

  By default, this option is disabled.

• Automatically install applicable updates and patches for components that have the Undefined status

  If this option is enabled, all downloaded updates and patches for Administration Server, Network Agent, Administration Console, Exchange Mobile Device Server, and iOS MDM Server will be installed automatically (automatic updating and patching is only available starting from Kaspersky Security Center 10 Service Pack 2 version).

  If this option is disabled, all downloaded updates and patches will only be installed after you change their status to Approved. Updates and patches with Undefined status will not be installed.

  By default, this option is enabled.

Connection

In this section, you can configure connection of Network Agent to the Administration Server:

In this section, you can configure connection of Network Agent to the Administration Server. To establish a connection, you can use the SSL or UDP protocol. For configuring the connection, specify the following settings:

• Administration Server

  Address of the device with Administration Server installed.

• Port

  Port number that is used for connection.

• SSL port

  Port number that is used for connection over the SSL protocol.

• Use Server certificate

  If this option is enabled, authentication of Network Agent access to the Administration Server will use the certificate file that you can specify by clicking the Browse button.

  If this option is disabled, the certificate file will be received from the Administration Server at the first connection of Network Agent to the address specified in the Server address field.

  We do not recommend to disable this option, because automatic receipt of an Administration Server certificate by Network Agent upon connection to the Administration Server is considered insecure.

  By default, this check box is selected.

• Use SSL

  If this option is enabled, connection to the Administration Server is established through a secure port via SSL.

  By default, this option is disabled. We recommend that you do not disable this option so your connection remains secured.

• Use UDP port

  If this option is enabled, the Network Agent is connected to Administration Server through a UDP port. This allows to manage client devices and receive information about them.

  The UDP port must be open on managed devices where Network Agent is installed. Therefore, we recommend that you do not disable this option.

  By default, this option is enabled.

• UDP port number

  In this field you can specify the port to connect Network Agent to Administration Server using UDP protocol.

  The default UDP port is 15000.

• Open Network Agent ports in Microsoft Windows Firewall

  If this option is enabled, after you install Network Agent on the client device, a UDP port is added to the list of Microsoft Windows Firewall exclusions. This UDP port is required for Network Agent to run properly.

  By default, this option is enabled.

Advanced

In the Advanced section, you can configure how to use the connection gateway. For this purpose, you can do the following:

• Use Network Agent as a connection gateway in the demilitarized zone (DMZ) to connect to Administration Server, communicate with it, and keep data on the Network Agent safe during data transmission.
• Connect to Administration Server by using a connection gateway to reduce the number of connections to the Administration Server. In this case, enter the address of the device that will act as the connection gateway in the Connection gateway address field.
• Configure the connection for Virtual Desktop Infrastructure (VDI) if your network includes virtual machines. For this purpose, do the following:
  • Enable dynamic mode for VDI

    If this option is enabled, dynamic mode for Virtual Desktop Infrastructure (VDI) will be enabled for Network Agent installed on a virtual machine.

    By default, this option is disabled.

  • Optimize settings for VDI

    If this option is enabled, the following features are disabled in the Network Agent settings:

    • Retrieving information about software installed
    • Retrieving information about hardware
    • Retrieving information about vulnerabilities detected
    • Retrieving information about updates required

    By default, this option is disabled.

Additional components

In this section you can select additional components for concurrent installation with Network Agent.

Tags

The Tags section displays a list of keywords (tags) that can be added to client devices after Network Agent installation. You can add and remove tags from the list, as well as rename them.

If the check box is selected next to a tag, this tag is automatically added to managed devices during Network Agent installation.

If the check box is cleared next to a tag, the tag will not automatically be added to managed devices during Network Agent installation. You can manually add this tag to devices.

When removing a tag from the list, it is automatically removed from all devices to which it was added.

Revision history

In this section, you can view the history of the installation package revisions. You can compare revisions, view revisions, save revisions to a file, and add and edit revision descriptions.

Network Agent installation package settings available to a specific operating system are given in the table below.

Network Agent installation package settings

Page top

Viewing the Privacy Policy

The Privacy Policy is available online at https://www.kaspersky.com/products-and-services-privacy-policy; it is also available offline. You can read the Privacy Policy, for example, before installing Network Agent.

To read the Privacy Policy offline:

1. Start the installer of Kaspersky Security Center.
2. In the installer window, proceed to the Extract installation packages link.
3. In the list that opens, select Kaspersky Security Center 13.1 Network Agent, and then click Next.

The privacy_policy.txt file appears on your device, in the folder that you specified, in the NetAgent_<current version> subfolder.

Page top