Updating Kaspersky databases and applications

This section describes steps you must take to regularly update the following:

• Kaspersky databases and software modules
• Installed Kaspersky applications, including Open Single Management Platform components and security applications

Updates functionality (including providing anti-virus signature updates and codebase updates), as well as KSN functionality may not be available in the software in the U.S.

Scenario: Regular updating Kaspersky databases and applications

This section provides a scenario for regular updating of Kaspersky databases, software modules, and applications. After you complete the Configuring network protection scenario, you must maintain the reliability of the protection system to make sure that the Administration Servers and managed devices are kept protected against various threats, including viruses, network attacks, and phishing attacks.

Network protection is kept up-to-date by regular updates of the following:

• Kaspersky databases and software modules
• Installed Kaspersky applications, including Open Single Management Platform components and security applications

When you complete this scenario, you can be sure of the following:

• Your network is protected by the most recent Kaspersky software, including Open Single Management Platform components and security applications.
• The anti-virus databases and other Kaspersky databases critical for the network safety are always up-to-date.

Prerequisites

The managed devices must have a connection to the Administration Server. If they do not have a connection, consider updating Kaspersky databases and software modules manually or directly from the Kaspersky update servers.

Administration Server must have a connection to the internet.

Before you start, make sure that you have done the following:

1. Deployed the Kaspersky security applications to the managed devices according to the scenario of deploying Kaspersky applications through OSMP Console.
2. Created and configured all required policies, policy profiles, and tasks according to the scenario of configuring network protection.
3. Assigned an appropriate amount of distribution points in accordance with the number of managed devices and the network topology.

Updating Kaspersky databases and applications proceeds in stages:

1. Choosing an update scheme

   There are several schemes that you can use to install updates to Open Single Management Platform components and security applications. Choose the scheme or several schemes that meet the requirements of your network best.

2. Creating the task for downloading updates to the repository of the Administration Server

   Create the Download updates to the Administration Server repository task manually.

   This task is required to download updates from Kaspersky update servers to the repository of the Administration Server, as well as to update Kaspersky databases and software modules for Open Single Management Platform. After the updates are downloaded, they can be propagated to the managed devices.

   If your network has assigned distribution points, the updates are automatically downloaded from the Administration Server repository to the repositories of the distribution points. In this case the managed devices included in the scope of a distribution point download the updates from the repository of the distribution point instead of the Administration Server repository.

   How-to instructions: Creating the task for downloading updates to the repository of the Administration Server

3. Creating the task for downloading updates to the repositories of distribution points (optional)

   By default, the updates are downloaded to the distribution points from the Administration server. You can configure Open Single Management Platform to download the updates to the distribution points directly from Kaspersky update servers. Download to the repositories of distribution points is preferable if the traffic between the Administration Server and the distribution points is more expensive than the traffic between the distribution points and Kaspersky update servers, or if your Administration Server does not have internet access.

   When your network has assigned distribution points and the Download updates to the repositories of distribution points task is created, the distribution points download updates from Kaspersky update servers, and not from the Administration Server repository.

   How-to instructions: Creating the task for downloading updates to the repositories of distribution points

4. Configuring distribution points

   When your network has assigned distribution points, make sure that the Deploy updates option is enabled in the properties of all required distribution points. When this option is disabled for a distribution point, the devices included in the scope of the distribution point download updates from the repository of the Administration Server.

5. Optimizing the update process by using the diff files (optional)

   You can optimize traffic between the Administration Server and the managed devices by using diff files. When this feature is enabled, the Administration Server or a distribution point downloads diff files instead of entire files of Kaspersky databases or software modules. A diff file describes the differences between two versions of a file of a database or software module. Therefore, a diff file occupies less space than an entire file. This results in decrease in the traffic between the Administration Server or distribution points and the managed devices. To use this feature, enable the Download diff files option in the properties of the Download updates to the Administration Server repository task and/or the Download updates to the repositories of distribution points task.

   How-to instructions: Using diff files for updating Kaspersky databases and software modules

6. Configuring automatic installation of updates for the security applications

   Create the Update tasks for the managed applications to provide timely updates to the software modules and Kaspersky databases, including anti-virus databases. To ensure timely updates, we recommend that you select the When new updates are downloaded to the repository option when configuring the task schedule.

   If your network includes IPv6-only devices and you want to regularly update the security applications installed on these devices, make sure that the Administration Server version 13.2 and the Network Agent version 13.2 are installed on managed devices.

   If an update requires reviewing and accepting the terms of the End User License Agreement, then you first need to accept the terms. After that the update can be propagated to the managed devices.

Results

Upon completion of the scenario, Open Single Management Platform is configured to update Kaspersky databases after the updates are downloaded to the repository of the Administration Server. You can then proceed to monitoring the network status.

About updating Kaspersky databases, software modules, and applications

To be sure that the protection of your Administration Servers and managed devices is up-to-date, you must provide timely updates of the following:

• Kaspersky databases and software modules

  Before downloading Kaspersky databases and software modules, Open Single Management Platform checks if Kaspersky servers are accessible. If access to the servers using system DNS is not possible, the application uses public DNS servers. This is necessary to make sure anti-virus databases are updated and the level of security is maintained for the managed devices.

• Installed Kaspersky applications, including Open Single Management Platform components and security applications

  Open Single Management Platform cannot update Kaspersky applications automatically. To update the applications, download the latest application versions from the Kaspersky website, and install them manually:

  • Kaspersky Security Center Administration Server, OSMP Console
  • Network Agent, Kaspersky Endpoint Security, management web plug-in

Depending on the configuration of your network, you can use the following schemes of downloading and distributing the required updates to the managed devices:

• By using a single task: Download updates to the Administration Server repository
• By using two tasks:
  • The Download updates to the Administration Server repository task
  • The Download updates to the repositories of distribution points task
• Manually through a shared folder or an FTP server
• Directly from Kaspersky update servers to Kaspersky Endpoint Security on the managed devices
• Through a network folder if Administration Server has no internet connection

Using the Download updates to the Administration Server repository task

In this scheme, Open Single Management Platform downloads updates through the Download updates to the Administration Server repository task. In small networks that contain less than 300 managed devices in a single network segment or less than 10 managed devices in each network segment, the updates are distributed to the managed devices directly from the Administration Server repository (see figure below).

Updating by using the Download updates to the Administration Server repository task without distribution points

As a source of updates, you can use not only Kaspersky update servers, but also a network folder.

By default, the Administration Server communicates with Kaspersky update servers and downloads updates by using the HTTPS protocol. You can configure the Administration Server to use the HTTP protocol instead of HTTPS.

If your network contains 300 managed devices or more in a single network segment or if your network consists of several network segments with more than 9 managed devices in each network segment, we recommend that you use distribution points to propagate the updates to the managed devices (see figure below). Distribution points reduce the load on the Administration Server and optimize traffic between the Administration Server and the managed devices. You can calculate the number and configuration of distribution points required for your network.

In this scheme, the updates are automatically downloaded from the Administration Server repository to the repositories of the distribution points. The managed devices included in the scope of a distribution point download the updates from the repository of the distribution point instead of the Administration Server repository.

Updating by using the Download updates to the Administration Server repository task with distribution points

When the Download updates to the Administration Server repository task is complete, the updates for Kaspersky databases and software modules for Kaspersky Endpoint Security are downloaded to the Administration Server repository. These updates are installed through the Update task for Kaspersky Endpoint Security.

The Download updates to the repository of the Administration Server task is not available on virtual Administration Servers. The repository of the virtual Administration Server displays updates downloaded to the primary Administration Server.

You can configure the updates to be verified for operability and errors on a set of test devices. If the verification is successful, the updates are distributed to other managed devices.

Each Kaspersky application requests required updates from Administration Server. Administration Server aggregates these requests and downloads only those updates that are requested by any application. This ensures that the same updates are not downloaded multiple times and that unnecessary updates are not downloaded at all. When running the Download updates to the Administration Server repository task, Administration Server sends the following information to Kaspersky update servers automatically in order to ensure the downloading of relevant versions of Kaspersky databases and software modules:

• Application ID and version
• Application setup ID
• Active key ID
• Download updates to the repository of the Administration Server task run ID

None of the transmitted information contains personal or other confidential data. AO Kaspersky Lab protects information in accordance with requirements established by law.

Using two tasks: the Download updates to the Administration Server repository task and the Download updates to the repositories of distribution points task

You can download updates to the repositories of distribution points directly from the Kaspersky update servers instead of the Administration Server repository, and then distribute the updates to the managed devices (see figure below). Download to the repositories of distribution points is preferable if the traffic between the Administration Server and the distribution points is more expensive than the traffic between the distribution points and Kaspersky update servers, or if your Administration Server does not have internet access.

Updating by using the Download updates to the Administration Server repository task and the Download updates to the repositories of distribution points task

By default, the Administration Server and distribution points communicate with Kaspersky update servers and download updates by using the HTTPS protocol. You can configure the Administration Server and/or distribution points to use the HTTP protocol instead of HTTPS.

To implement this scheme, create the Download updates to the repositories of distribution points task in addition to the Download updates to the Administration Server repository task. After that the distribution points will download updates from Kaspersky update servers, and not from the Administration Server repository.

The Download updates to the Administration Server repository task is also required for this scheme, because this task is used to download Kaspersky databases and software modules for Open Single Management Platform.

Manually through a shared folder or an FTP server

If the client devices do not have a connection to the Administration Server, you can use a shared resource as a source for updating Kaspersky databases, software modules, and applications. In this scheme, you need to copy required updates from the Administration Server repository to a removable drive, then copy the updates to the shared resource specified as an update source in the settings of Kaspersky Endpoint Security (see figure below).

Updating through a shared folder or an FTP server

For more information about sources of updates in Kaspersky Endpoint Security, see the following Helps:

• Kaspersky Endpoint Security for Linux Help
• Kaspersky Endpoint Security for Windows Help

Directly from Kaspersky update servers to Kaspersky Endpoint Security on the managed devices

On the managed devices, you can configure Kaspersky Endpoint Security to receive updates directly from Kaspersky update servers (see figure below).

Updating security applications directly from Kaspersky update servers

In this scheme, the security application does not use the repository provided by Open Single Management Platform. To receive updates directly from Kaspersky update servers, specify Kaspersky update servers as an update source in the security application. For more information about these settings, see the following Helps:

• Kaspersky Endpoint Security for Linux Help
• Kaspersky Endpoint Security for Windows Help

Through a network folder if Administration Server has no internet connection

If Administration Server has no internet connection, you can configure the Download updates to the Administration Server repository task to download updates from a network folder. In this case, you must copy the required update files to the specified folder from time to time. For example, you can copy the required update files from one of the following sources:

• Administration Server that has an internet connection (see the figure below)

  Because an Administration Server downloads only the updates that are requested by the security applications, the sets of security applications managed by the Administration Servers—the one that has an internet connection and the one that does not—must match.

  If the Administration Server that you use to download updates has version 13.2 or earlier, open properties of the Download updates to the Administration Server repository task, and then enable the Download updates by using the old scheme option.

  

  Updating through a network folder if Administration Server has no internet connection

• Kaspersky Update Utility

  Because this utility uses the old scheme to download updates, open properties of the Download updates to the Administration Server repository task, and then enable the Download updates by using the old scheme option.

Creating the Download updates to the Administration Server repository task

Expand all | Collapse all

The Download updates to the Administration Server repository task allows you to download updates of databases and software modules for Kaspersky security applications from Kaspersky update servers to the Administration Server repository. In the task list, there can only be one Download updates to the Administration Server repository task.

After the Download updates to the Administration Server repository task is complete and the updates are downloaded, they can be propagated to the managed devices.

Before you distribute updates to the managed devices, you can run the Update verification task. This allows you to make sure that Administration Server installs the downloaded updates properly and a security level is not decreased because of the updates. To verify them before distributing, configure the Run update verification option in the Download updates to the Administration Server repository task settings.

To create a Download updates to the Administration Server repository task:

1. In the main menu, go to Assets (Devices) → Tasks.
2. Click Add.

   The New task wizard starts. Follow the steps of the wizard.

3. For the Open Single Management Platform application, select the Download updates to the Administration Server repository task type.
4. Specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
5. On the Finish task creation page, you can enable the Open task details when creation is complete option to open the task properties window and modify the default task settings. Otherwise, you can configure task settings later, at any time.
6. Click the Finish button.

   The task is created and displayed in the task list.

7. Click the created task name to open the task properties window.
8. In the task properties window, on the Application settings tab, specify the following settings:
   • Sources of updates

     As a source of updates, you can use Kaspersky update servers or a network folder. If you create a task for a secondary or virtual Administration Server, you can also select a local folder or a primary Administration Server as a source of updates.

     In the Download updates to the Administration Server repository task and the Download updates to the repositories of distribution points task, user authentication does not work if you select a password-protected local or network folder as an update source. To resolve this issue, first mount the password-protected folder, and then specify the required credentials, for example, by means of the operating system. After that, you can select this folder as an update source in an update download task. Open Single Management Platform will not require that you enter the credentials.

   • Folder for storing updates

     The path to the specified folder for storing saved updates. You can copy the specified folder path to a clipboard. You cannot change the path to a specified folder for a group task.

   • Force update of secondary Administration Servers

     If this option is enabled, the Administration Server starts update tasks on the secondary Administration Servers as soon as new updates are downloaded. Update tasks are started by using the source of update that is configured in the task properties on the secondary Administration Servers.

     If this option is disabled, the update tasks on the secondary Administration Servers start according to their schedules.

     By default, this option is disabled.

   • Copy downloaded updates to additional folders

     After the Administration Server receives updates, it copies them to the specified folders. Use this option if you want to manually manage the distribution of updates on your network.

     For example, you may want to use this option in the following situation: the network of your organization consists of several independent subnets, and devices from each of the subnets do not have access to other subnets. However devices in all of the subnets have access to a common network share. In this case, you set Administration Server in one of the subnets to download updates from Kaspersky update servers, enable this option, and then specify this network share. In downloaded updates to the repository tasks for other Administration Servers, specify the same network share as the update source.

     By default, this option is disabled.

   • Download diff files

     This option enables the downloading diff files feature.

     By default, this option is disabled.

   • Download updates by using the old scheme

     Open Single Management Platform downloads updates of databases and software modules by using the new scheme. For the application to download updates by using the new scheme, the update source must contain the update files with the metadata compatible with the new scheme. If the update source contains the update files with the metadata compatible with the old scheme only, enable the Download updates by using the old scheme option. Otherwise, the update download task will fail.

     For example, you must enable this option when a local or network folder is specified as an update source and the update files in this folder were downloaded by Kaspersky Update Utility which downloads updates by using the old scheme.

     By default, this option is disabled.

   • Run update verification

     Administration Server downloads updates from the source, saves them to a temporary repository, and runs the task defined in the Update verification task field. If the task completes successfully, the updates are copied from the temporary repository to a shared folder on the Administration Server and then distributed to all devices for which the Administration Server acts as the source of updates (tasks with the When new updates are downloaded to the repository schedule type are started). The task of downloading updates to the repository is finished only after completion of the Update verification task.

     By default, this option is disabled.

9. In the task properties window, on the Schedule tab, create a schedule for task start. If necessary, specify the following settings:
   • Scheduled start:
     • Manually (selected by default)

       The task does not run automatically. You can only start it manually.

       By default, this option is selected.

     • Every N minutes

       The task runs regularly, with the specified interval in minutes, starting from the specified time on the day that the task is created.

       By default, the task runs every 30 minutes, starting from the current system time.

     • Every N hours

       The task runs regularly, with the specified interval in hours, starting from the specified date and time.

       By default, the task runs every 6 hours, starting from the current system date and time.

     • Every N days

       The task runs regularly, with the specified interval in days. Additionally, you can specify a date and time of the first task run. These additional options become available, if they are supported by the application for which you create the task.

       By default, the task runs every day, starting from the current system date and time.

     • Every N weeks

       The task runs regularly, with the specified interval in weeks, on the specified day of week and at the specified time.

       By default, the task runs every Friday at the current system time.

     • Daily (daylight saving time is not supported)

       The task runs regularly, with the specified interval in days. This schedule does not support observance of daylight saving time (DST). It means that when clocks jump one hour forward or backward at the beginning or ending of DST, the actual task start time does not change.

       We do not recommend that you use this schedule. It is needed for backward compatibility of Open Single Management Platform.

       By default, the task starts every day at the current system time.

     • Weekly

       The task runs every week on the specified day and at the specified time.

     • By days of week

       The task runs regularly, on the specified days of the week, at the specified time.

       By default, the task runs every Friday at 6:00:00 PM.

     • Monthly

       The task runs regularly, on the specified day of the month, at the specified time.

       In months that lack the specified day, the task runs on the last day.

       By default, the task runs on the first day of each month, at the current system time.

     • Every month on specified days of selected weeks

       The task runs regularly, on the specified days of each month, at the specified time.

       By default, no days of month are selected. The default start time is 18:00.

     • On completing another task

       The current task starts after another task completes. You can select how the previous task must complete (successfully or with error) to trigger the start of the current task. This parameter only works if both tasks are assigned to the same devices.

   • Additional task settings:
     • Run missed tasks

       This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.

       If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.

       If this option is disabled, only scheduled tasks run on client devices. For Manually, Once and Immediately schedule, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.

       By default, this option is disabled.

     • Use automatically randomized delay for task starts

       If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

       The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.

       If this option is disabled, the task starts on client devices according to the schedule.

     • Use randomized delay for task starts within an interval of (min)

       If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

       If this option is disabled, the task starts on client devices according to the schedule.

       By default, this option is disabled. The default time interval is one minute.

     • Stop the task if it runs longer than (min)

       After the specified time period expires, the task is stopped automatically, whether it is completed or not.

       Enable this option if you want to interrupt (or stop) tasks that take too long to execute.

       By default, this option is disabled. The default task execution time is 120 minutes.

10. Click the Save button.

The task is created and configured.

When Administration Server performs the Download updates to the Administration Server repository task, updates to databases and software modules are downloaded from the updates source and stored on Administration Server. If you create this task for an administration group, it will only be applied to Network Agents included in the specified administration group.

Viewing downloaded updates

When Administration Server performs the Download updates to the Administration Server repository task, updates to databases and software modules are downloaded from the updates source and stored on Administration Server. You can view the downloaded updates in the Updates for Kaspersky databases and software modules section.

To view the list of downloaded updates,

In the main menu, go to Operations → Kaspersky applications → Updates for Kaspersky databases and software modules.

A list of available updates appears.

Verifying downloaded updates

Expand all | Collapse all

Before installing updates to the managed devices, you can first check the updates for operability and errors through the Update verification task. The Update verification task is performed automatically as part of the Download updates to the Administration Server repository task. The Administration Server downloads updates from the source, saves them in the temporary repository, and runs the Update verification task. If the task completes successfully, the updates are copied from the temporary repository to the Administration Server repository. They are distributed to all client devices for which the Administration Server is the source of updates.

If, as a result of the Update verification task, updates located in the temporary repository are incorrect or if the Update verification task completes with an error, such updates are not copied to the Administration Server repository. The Administration Server retains the previous set of updates. Also, the tasks that have the When new updates are downloaded to the repository schedule type are not started then. These operations are performed at the next start of the Download updates to the Administration Server repository task if scanning of the new updates completes successfully.

A set of updates is considered invalid if any of the following conditions is met on at least one test device:

• An update task error occurred.
• The real-time protection status of the security application changed after the updates were applied.
• An infected object was detected during running of the on-demand scan task.
• A runtime error of a Kaspersky application occurred.

If none of the listed conditions is true for any test device, the set of updates is considered valid, and the Update verification task is considered to have completed successfully.

Before you start to create the Update verification task, perform the prerequisites:

1. Create an administration group with several test devices. You will need this group to verify the updates.

   We recommend using devices with the most reliable protection and the most popular application configuration across the network. This approach increases the quality and probability of virus detection during scans, and minimizes the risk of false positives. If viruses are detected on test devices, the Update verification task is considered unsuccessful.

2. Create the update and malware scan tasks for an application supported by Open Single Management Platform, for example, Kaspersky Endpoint Security for Linux. When creating the update and malware scan tasks, specify the administration group with the test devices.

   The Update verification task sequentially runs the update and malware scan tasks on test devices to check that all updates are valid. In addition, when creating the Update verification task, you need to specify the update and malware scan tasks.

3. Create the Download updates to the Administration Server repository task.

To make Open Single Management Platform verify downloaded updates before distributing them to client devices:

1. In the main menu, go to Assets (Devices) → Tasks.
2. Click the Download updates to the Administration Server repository task.
3. In the task properties window that opens, go to the Application settings tab, and then enable the Run update verification option.
4. If the Update verification task exists, click the Select task button. In the window that opens, select the Update verification task in the administration group with test devices.
5. If you did not create the Update verification task earlier, do the following:
   1. Click the New task button.
   2. In the New task wizard that opens, specify the task name if you want to change the preset name.
   3. Select the administration group with test devices, which you created earlier.
   4. First, select the update task of a required application supported by Open Single Management Platform, and then select the malware scan task.

      After that, the following options appear. We recommend leaving them enabled:

      • Restart the device after database update

        After anti-virus databases are updated on a device, we recommend rebooting the device.

        By default, the option is enabled.

      • Check real-time protection status after database update and device restart

        If this option is enabled, the Update verification task checks whether updates downloaded to the Administration Server repository are valid, and if the protection level decreased after the anti-virus database update and device restart.

        By default, this option is enabled.

   5. Specify an account from which the Update verification task will be run. You can use your account and leave the Default account option enabled. Alternatively, you can specify that the task should be run under another account that has the necessary access rights. To do this, select the Specify account option, and then enter the credentials of that account.
6. Click Save to close the properties window of the Download updates to the Administration Server repository task.

The automatic update verification is enabled. Now, you can run the Download updates to the Administration Server repository task, and it will start from update verification.

Creating the task for downloading updates to the repositories of distribution points

Expand all | Collapse all

You can create the Download updates to the repositories of distribution points task for an administration group. This task will run for distribution points included in the specified administration group.

You can use this task, for example, if traffic between the Administration Server and the distribution point(s) is more expensive than traffic between the distribution point(s) and Kaspersky update servers, or if your Administration Server does not have internet access.

This task is required to download updates from Kaspersky update servers to the repositories of distribution points. The list of updates includes:

• Updates to databases and software modules for Kaspersky security applications
• Updates to Open Single Management Platform components
• Updates to Kaspersky security applications

After the updates are downloaded, they can be propagated to the managed devices.

To create the Download updates to the repositories of distribution points task, for a selected administration group:

1. In the main menu, go to Assets (Devices) → Tasks.
2. Click the Add button.

   The New task wizard starts. Follow the steps of the wizard.

3. For the Open Single Management Platform application, in the Task type field select Download updates to the repositories of distribution points.
4. Specify the name for the task that you are creating. A task name cannot be more than 100 characters long and cannot include any special characters ("*<>?\:|).
5. Select an option button to specify the administration group, the device selection, or the devices to which the task applies.
6. At the Finish task creation step, if you want to modify the default task settings, enable the Open task details when creation is complete option. If you do not enable this option, the task is created with the default settings. You can modify the default settings later, at any time.
7. Click the Create button.

   The task is created and displayed in the list of tasks.

8. Click the name of the created task to open the task properties window.
9. On the Application settings tab of the task properties window, specify the following settings:
   • Sources of updates

     The following resources can be used as a source of updates for the distribution point:

     • Kaspersky update servers

       HTTP(S) servers at Kaspersky from which Kaspersky applications download database and application module updates.

       This option is selected by default.

     • Primary Administration Server

       This resource applies to tasks created for a secondary or virtual Administration Server.

     • Local or network folder

       A local or network folder that contains the latest updates. Only a mounted SMB share can be used as a network folder. When selecting a local folder, you must specify a folder on the device that has Administration Server installed.

       In the Download updates to the Administration Server repository task and the Download updates to the repositories of distribution points task, user authentication does not work if you select a password-protected local or network folder as an update source. To resolve this issue, first mount the password-protected folder, and then specify the required credentials, for example, by means of the operating system. After that, you can select this folder as an update source in an update download task. Open Single Management Platform will not require that you enter the credentials.

   • Folder for storing updates

     The path to the specified folder for storing saved updates. You can copy the specified folder path to a clipboard. You cannot change the path to a specified folder for a group task.

   • Download diff files

     This option enables the downloading diff files feature.

     By default, this option is disabled.

   • Download updates by using the old scheme

     Open Single Management Platform downloads updates of databases and software modules by using the new scheme. For the application to download updates by using the new scheme, the update source must contain the update files with the metadata compatible with the new scheme. If the update source contains the update files with the metadata compatible with the old scheme only, enable the Download updates by using the old scheme option. Otherwise, the update download task will fail.

     For example, you must enable this option when a local or network folder is specified as an update source and the update files in this folder were downloaded by Kaspersky Update Utility which downloads updates by using the old scheme.

     By default, this option is disabled.

10. Create a schedule for task start. If necessary, specify the following settings:
    • Scheduled start:
      • Manually (selected by default)

        The task does not run automatically. You can only start it manually.

        By default, this option is selected.

      • Every N minutes

        The task runs regularly, with the specified interval in minutes, starting from the specified time on the day that the task is created.

        By default, the task runs every 30 minutes, starting from the current system time.

      • Every N hours

        The task runs regularly, with the specified interval in hours, starting from the specified date and time.

        By default, the task runs every 6 hours, starting from the current system date and time.

      • Every N days

        The task runs regularly, with the specified interval in days. Additionally, you can specify a date and time of the first task run. These additional options become available, if they are supported by the application for which you create the task.

        By default, the task runs every day, starting from the current system date and time.

      • Every N weeks

        The task runs regularly, with the specified interval in weeks, on the specified day of week and at the specified time.

        By default, the task runs every Friday at the current system time.

      • Daily (daylight saving time is not supported)

        The task runs regularly, with the specified interval in days. This schedule does not support observance of daylight saving time (DST). It means that when clocks jump one hour forward or backward at the beginning or ending of DST, the actual task start time does not change.

        We do not recommend that you use this schedule. It is needed for backward compatibility of Open Single Management Platform.

        By default, the task starts every day at the current system time.

      • Weekly

        The task runs every week on the specified day and at the specified time.

      • By days of week

        The task runs regularly, on the specified days of the week, at the specified time.

        By default, the task runs every Friday at 6:00:00 PM.

      • Monthly

        The task runs regularly, on the specified day of the month, at the specified time.

        In months that lack the specified day, the task runs on the last day.

        By default, the task runs on the first day of each month, at the current system time.

      • Every month on specified days of selected weeks

        The task runs regularly, on the specified days of each month, at the specified time.

        By default, no days of month are selected. The default start time is 18:00.

      • On virus outbreak

        The task runs after a Virus outbreak event occurs. Select application types that will monitor virus outbreaks. The following application types are available:

        • Anti-virus for workstations and file servers
        • Anti-virus for perimeter defense
        • Anti-virus for mail systems

        By default, all application types are selected.

        You may want to run different tasks depending on the security application type that reports a virus outbreak. In this case, remove the selection of the application types that you do not need.

      • On completing another task

        The current task starts after another task completes. You can select how the previous task must complete (successfully or with error) to trigger the start of the current task. This parameter only works if both tasks are assigned to the same devices.

    • Run missed tasks

      This option determines the behavior of a task if a client device is not visible on the network when the task is about to start.

      If this option is enabled, the system attempts to start the task the next time the Kaspersky application is run on the client device. If the task schedule is Manually, Once or Immediately, the task is started immediately after the device becomes visible on the network or immediately after the device is included in the task scope.

      If this option is disabled, only scheduled tasks run on client devices. For Manually, Once and Immediately schedule, tasks run only on those client devices that are visible on the network. For example, you may want to disable this option for a resource-consuming task that you want to run only outside of business hours.

      By default, this option is disabled.

    • Use automatically randomized delay for task starts

      If this option is enabled, the task is started on client devices randomly within a specified time interval, that is, distributed task start. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

      The distributed start time is calculated automatically when a task is created, depending on the number of client devices to which the task is assigned. Later, the task is always started on the calculated start time. However, when task settings are edited or the task is started manually, the calculated value of the task start time changes.

      If this option is disabled, the task starts on client devices according to the schedule.

    • Use randomized delay for task starts within an interval of (min)

      If this option is enabled, the task is started on client devices randomly within the specified time interval. A distributed task start helps to avoid a large number of simultaneous requests by client devices to the Administration Server when a scheduled task is running.

      If this option is disabled, the task starts on client devices according to the schedule.

      By default, this option is disabled. The default time interval is one minute.

11. Click the Save button.

The task is created and configured.

In addition to the settings that you specify during task creation, you can change other properties of a created task.

When the Download updates to the repositories of distribution points task is performed, updates for databases and software modules are downloaded from the update source and stored in the distribution points repository. Downloaded updates will only be used by distribution points that are included in the specified administration group and that have no update download task explicitly set for them.

Adding sources of updates for the Download updates to the Administration Server repository task

When you create or use the task for downloading updates to the Administration Server repository, you can choose the following sources of updates:

• Kaspersky update servers
• Primary Administration Server

  This resource applies to tasks created for a secondary or virtual Administration Server.

• Local or network folder

  This resource applies to tasks created for a secondary or virtual Administration Server.

• Network folder

In the Download updates to the Administration Server repository task and the Download updates to the repositories of distribution points task, user authentication does not work if you select a password-protected local or network folder as an update source. To resolve this issue, first mount the password-protected folder, and then specify the required credentials, for example, by means of the operating system. After that, you can select this folder as an update source in an update download task. Open Single Management Platform will not require that you enter the credentials.

Kaspersky update servers are used by default, but you can also download updates from a local or network folder. You might want to use the folder if your network does not have access to the internet. In this case, you can manually download updates from Kaspersky update servers and put the downloaded files in the necessary folder.

You can specify only one path to a local or network folder. As a local folder, you must specify a folder on the device where Administration Server is installed. As a network folder, you can use an FTP or HTTP server or an SMB share. If an SMB share requires authentication, it must be mounted in the system with the required credentials in advance. We recommend not using the SMB1 protocol since it is insecure.

If you add both Kaspersky update servers and the local or network folder, updates will be downloaded first from the folder. In the case of an error when downloading, Kaspersky update servers will be used.

In case a shared folder that contains updates is password-protected, enable the Specify account for access to shared folder of the update source (if any) option and enter the account credentials required for access.

To add the sources of updates:

1. In the main menu, go to Assets (Devices) → Tasks.
2. Click Download updates to the Administration Server repository.
3. Go to the Application settings tab.
4. On the Sources of updates line, click the Configure button.
5. In the window that opens, click the Add button.
6. In the update source list, add the necessary sources. If you select the Network folder or Local or network folder check box, specify a path to the folder.
7. Click OK, and then close the update source properties window.
8. In the update source window, click OK.
9. Click the Save button in the task window.

Now updates are downloaded to the Administration Server repository from the specified sources.

About using diff files for updating Kaspersky databases and software modules

When Open Single Management Platform downloads updates from Kaspersky update servers, it optimizes traffic by using diff files. You can also enable the usage of diff files by devices (Administration Servers, distribution points, and client devices) that take updates from other devices on your network.

About the Downloading diff files feature

A diff file describes the differences between two versions of a file of a database or software module. The usage of diff files saves traffic inside your company's network because diff files occupy less space than entire files of databases and software modules. If the Downloading diff files feature is enabled on Administration Server or a distribution point, the diff files are saved on this Administration Server or distribution point. As a result, devices that take updates from this Administration Server or distribution point can use the saved diff files to update their databases and software modules.

To optimize the usage of diff files, we recommend that you synchronize the update schedule of devices with the update schedule of the Administration Server or distribution point from which the devices take updates. However, the traffic can be saved even if devices are updated several times less often than are the Administration Server or distribution point from which the devices take updates.

Distribution points do not use IP multicasting for automatic distribution of diff files.

Enabling the Downloading diff files feature

Stages

1. Enabling the feature on Administration Server

   Enable the feature in the settings of a Download updates to the repository of the Administration Server task.

2. Enabling the feature for a distribution point

   Enable the feature for a distribution point that receives updates by means of a Download updates to the repositories of distribution points task.

   Then enable the feature in the Network Agent policy settings for a distribution point that receives updates from Administration Server.

   Then enable the feature for a distribution point that receives updates from Administration Server.

   The feature is enabled in the Network Agent policy settings and—if the distribution points are assigned manually and if you want to override policy settings—in the Distribution points section of the Administration Server properties.

To check that the Downloading diff files feature is successfully enabled, you can measure the internal traffic before and after you perform the scenario.

Downloading updates by distribution points

Expand all | Collapse all

Open Single Management Platform allows distribution points to receive updates from the Administration Server, Kaspersky servers, or from a local or network folder.

To configure update download for a distribution point:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens.

2. On the General tab, select the Distribution points section.
3. Click the name of the distribution point through which updates will be delivered to client devices in the group.
4. In the distribution point properties window, select the Source of updates section.
5. Select an update source for the distribution point:
   • Source of updates

     Select a source of updates for the distribution point:

     • To allow the distribution point to receive updates from the Administration Server, select Retrieve from Administration Server.
     • To allow the distribution point to receive updates by using a task, select Use update download task, and then specify a Download updates to the repositories of distribution points task:
       • If such a task already exists on the device, select the task in the list.
       • If no such task yet exists on the device, click the Create task link to create a task. The New task wizard starts. Follow the instructions of the wizard.

   • Download diff files

     This option enables the downloading diff files feature.

     By default, this option is enabled.

The distribution point will receive updates from the specified source.

Updating Kaspersky databases and software modules on offline devices

Updating Kaspersky databases and software modules on managed devices is an important task for maintaining protection of the devices against viruses and other threats. Administrators usually configure regular updates through usage of the Administration Server repository.

When you need to update databases and software modules on a device (or a group of devices) that is not connected to the Administration Server (primary or secondary), a distribution point or the internet, you have to use alternative sources of updates, such as an FTP server or a local folder. In this case, you have to deliver the files of the required updates by using a mass storage device, such as a flash drive or an external hard drive.

You can copy the required updates from:

• The Administration Server.

  To be sure the Administration Server repository contains the updates required for the security application installed on an offline device, at least one of the managed online devices must have the same security application installed. This application must be configured to receive the updates from the Administration Server repository through the Download updates to the Administration Server repository task.

• Any device that has the same security application installed and configured to receive the updates from the Administration Server repository, a distribution point repository, or directly from the Kaspersky update servers.

Below is an example of configuring updates of databases and software modules by copying them from the Administration Server repository.

To update Kaspersky databases and software modules on offline devices:

1. Connect the removable drive to the device where the Administration Server is installed.
2. Copy the updates files to the removable drive.

   By default, the updates are located at: \\<server name>\KLSHARE\Updates.

   Alternatively, you can configure Open Single Management Platform to regularly copy the updates to the folder that you select. For this purpose, use the Copy downloaded updates to additional folders option in the properties of the Download updates to the Administration Server repository task. If you specify a folder located on a flash drive or an external hard drive as a destination folder for this option, this mass storage device will always contain the latest version of the updates.

3. On offline devices, configure Kaspersky Endpoint Security to receive updates from a local folder or a shared resource, such as an FTP server or a shared folder.

   How-to instructions:

   • Kaspersky Endpoint Security for Linux Help
   • Kaspersky Endpoint Security for Windows Help
4. Copy the updates files from the removable drive to the local folder or the shared resource that you want to use as an update source.
5. On the offline device that requires update installation, start the Update task of Kaspersky Endpoint Security for Linux or Kaspersky Endpoint Security for Windows, depending on the operating system of the offline device.

After the update task is complete, the Kaspersky databases and software modules are up-to-date on the device.