Kaspersky Endpoint Security 10 For Windows

Kaspersky Endpoint Security 10 forWindowsUser ManualDocument version: 1.03Application version: 10.3.0.6294 AES256

Table of ContentsAbout Kaspersky Endpoint Security 10 for Windows .5Distribution kit .5Hardware and software requirements .6Environment and operation requirements .8User and administrator roles in the application .9License and activation . 10Managing the application on a client computer . 11Application functions in the Windows context menu . 11Application icon context menu . 13Web Control. 14About Web Control . 14Web Control subsection . 30Application Privilege Control . 46About Application Privilege Control . 46Application Privilege Control subsection . 47Application Startup Control . 84About Application Startup Control . 84Application Startup Control subsection . 84Device Control . 112About Device Control . 112Device Control subsection . 113Anti-Virus protection . 134Anti-Virus protection section . 136Protecting the computer file system. File Anti-Virus . 155Email protection. Mail Anti-Virus. 173Computer protection on the Internet. Web Anti-Virus . 184Protection of IM client traffic. IM Anti-Virus . 191System Watcher . 194Scanning the computer. 199Managing Quarantine and Backup . 243About Quarantine and Backup . 244Configuring Quarantine and Backup settings . 245Managing Quarantine . 247

Managing Backup. 252Working with encrypted devices when there is no access to them . 255Obtaining access to encrypted devices through the application interface . 257Creating the executable file of Restore Utility . 258Restoring data on encrypted devices using the Restore Utility. 259Using Authentication Agent. 262Main window of Authentication Agent . 262Restoring Authentication Agent account credentials . 263Step 1. Entropy. 264Step 2. Challenge . 264Step 3. Response . 264Remote administration of the application through Kaspersky Security Center. 265About managing the application via Kaspersky Security Center . 265Managing policies . 266About policies . 267Application Startup Control . 271Application Privilege Control. 283Device Control . 319Web Control . 344Data Encryption . 376Anti-Virus protection . 401Advanced application settings . 467Tasks . 489About tasks for Kaspersky Endpoint Security . 489Key addition task settings section . 491Application components modification task settings section . 493Authentication Agent account management task settings section . 495Settings section . 496Managing the application from the command prompt . 499Commands . 499Error messages . 509Return codes . 515Using task profiles . 526Document version: 1.033

Contacting Technical Support . 529How to obtain technical support . 530Technical support by phone. 530Technical Support via Kaspersky CompanyAccount . 531Collecting information for Technical Support . 532Creating a trace file . 533Contents and storage of trace files . 534Enabling or disabling transmission of dump files and trace files to KasperskyLab . 537Sending files to the Technical Support server . 537Enabling and disabling protection of dump files and trace files . 538Document version: 1.034

About Kaspersky Endpoint Securityfor WindowsThis section describes the functions, components, and distribution kit of Kaspersky EndpointSecurity 10 for Windows, further referred to as Kaspersky Endpoint Security, and provides a list ofhardware and software requirements of Kaspersky Endpoint Security.In this section:Distribution kit . 5Hardware and software requirements. 6User and administrator roles in the application . 7Distribution kitThe Kaspersky Endpoint Security distribution kit contains the following files: Files that are required for installing the application using any of the available methods: Update package files used during installation of the application. The klcfginst.msi file for installing the Kaspersky Endpoint Security administration plug-invia Kaspersky Security Center. The ksn language ID .txt file, which you can view to look through the terms ofparticipation in Kaspersky Security Network. The license.txt file, with which you can view the End User License Agreement. The incompatible.txt file that contains a list of incompatible software.

The installer.ini file that contains the internal settings of the distribution kit.It is not recommended to change the values of these settings. If you want to changeinstallation options, use the setup.ini file.You must unpack the distribution kit to access the files.Hardware and software requirementsTo ensure proper operation of Kaspersky Endpoint Security, your computer must meet thefollowing requirements:Minimum general requirements: 2 GB of free disk space on the hard drive Microsoft Internet Explorer 7.0 An Internet connection for activating the application and updating databases andapplication modules 2 GB of free RAM Intel Pentium processor (or compatible equivalent): For a 32-bit operating system - Intel Pentium 1 GHz For a 64-bit operating system - Intel Pentium 2 GHzSupported operating systems for workstations: Microsoft Windows 7 Professional / Enterprise / Ultimate x86 Edition SP1, MicrosoftWindows 7 Professional / Enterprise / Ultimate x64 Edition SP1 Microsoft Windows 8 Professional / Enterprise x86 Edition, Microsoft Windows 8Professional / Enterprise x64 Edition, Microsoft Windows 8.1 Enterprise x86 Edition,Microsoft Windows 8.1 Enterprise x64 EditionDocument version: 1.036

Microsoft Windows 10 Pro / Enterprise x86 Edition, Microsoft Windows 10 Pro / Enterprisex64 EditionFor details about support for the Microsoft Windows 10 operating system, please refer toarticle 13036 in the Technical Support Knowledge Base:http://support.kaspersky.com/kes10wks http://support.kaspersky.com/kes10wks.Supported operating systems for file servers: Microsoft Windows Server 2008 R2 Standard / Enterprise x64 Edition SP1, MicrosoftWindows Server 2008 Standard / Enterprise x86 Edition SP2, Microsoft Windows Server2008 Standard / Enterprise x64 Edition SP2 Microsoft Windows Small Business Server 2011 Essentials / Standard x64 Edition Microsoft Windows Server 2012 Standard / Foundation / Essentials x64 Edition, MicrosoftWindows Server 2012 R2 Standard / Foundation / Essentials x64 Edition, MicrosoftWindows MultiPoint Server 2012 x64 Edition Microsoft Windows Server 2016For details about support for the Microsoft Windows Server 2016 operating system, pleaserefer to article 13036 in the Technical Support Knowledge Base:http://support.kaspersky.com/kes10fs http://support.kaspersky.com/kes10fs.Document version: 1.037

Environment and operationrequirementsTo ensure user data security and maximize protection efficiency that is provided by KasperskyEndpoint Security several other requirements had to be observed.Attacker access protectionThe device secured by the TOE should not fall under temporary and undetected physical control ofan attacker when the device is booted. Potential attacker must not have physical or logical accessto the device secured by the TOE before and during the TOE installation. Appropriate physicalsecurity measures and physical security policies have to be in place.Correct behaviour of authorised usersAuthorised users shall not actively compromise the security of the device secured by the TOE andthe TOE itself and should be instructed not to leave a device secured by the TOE while it isswitched on and running.TOE secure operationNon-trusted software (especially with ability to perform direct access to the hard disk) is notinstalled and will not be installed on the device secured by the TOE. The users are instructed not toinstall or use utility programs like partition managers or disk copy programs.Password protectionAll authorised individuals (users, administrators) protect their passwords and/or PINs for Token toavoid disclosure. They are instructed to keep their password secret and not to write down theirpassword, neither manually nor electronically. Unauthorised individuals shall not get the passwordof an authorised individual. The corresponding security measures sufficiently protect againstpassword/PIN eaves dropping and recording using software tools or additional hardware devices.In particular, the devices and the environment shall be protected against installing any softwareprograms or hardware devices, which enable capturing user password inputs on the keyboard.Document version: 1.038

Trusted administrationThe administrators responsible for the device and KSC server administration have to betrustworthy. They perform all tasks correctly regarding the TOE security.User and administrator roles in theapplicationKaspersky Endpoint Security supports two user roles: User and Administrator.User is associated with Administrator role when he enters valid username and password whenperforming operations in GUI or Command Line interface. Additionally all actions done throughKaspersky Security Center are also attributed to Administrator role.Username and password are defined via Kaspersky Security Center Policy. See section PasswordProtection Windows on page 477.The Administrator role performs installation, configuration and administration of KasperskyEndpoint Security locally through GUI and command line interface or remotely using the KasperskySecurity Center Administration Server and the Kaspersky Endpoint Security administration plug-in.A user can perform the following actions in the local interface of Kaspersky Endpoint Security: Run a custom scan task. Send the administrator requests for access provision in case devices, applications or webresources necessary for work are being blocked, or to obtain access to encrypted files. Configure application settings if their modification is allowed by the Kaspersky SecurityCenter policy or if the user's computer is not running under a policy.In a client computer with Kaspersky Endpoint Security installed is running under a KasperskySecurity Center policy, the administrator can restrict availability of operations or settings with theapplication to the User. In this case, the application will prompt the user for the password when theuser attempts to perform a protected operation in the Kaspersky Endpoint Security local interface.See section Password Protection Windows on page 477.Document version: 1.039

License and activationAdministrators should maintain active license for Kaspersky Endpoint for Windows at all times toensure lasting data protection.Please refer to section Key addition task settings section on p. 491 below for instruction how to addactivation keys when active license expire. Kaspersky Endpoint Security for Windows have optionto include backup activation keys to ensure uninterrupted protection due to license expiration.If the license has expired, the application does not encrypt new data, and old encrypted dataremains encrypted and available for use. In this event, encrypting new data requires the programbe activated with a new license that permits the use of encryption. The rest of functionality staysthe same.Document version: 1.0310

Managing the application on aclient computerThis section contains information on how to work with the application by using the local interfaceon the client computer of the user.In this section:Application functions in the Windows context menu . 11Web Control . 13Application Privilege Control . 46Application Startup Control . 84Device Control . 112Anti-Virus protection . 134Working with encrypted devices when there is no access to them . 242Application functions in the Windowscontext menuKaspersky Endpoint Security is integrated into the Windows context menu. Using the context menuof any file on the computer, the user can perform the following operations with a file: