KL 020.11 Khcs Ksws en v1.0

Kaspersky Hybrid Cloud Security.
Public cloud
protection
Technical training KL 020.10.5
Technical Training KL 020.10.5

Kaspersky Hybrid Cloud Security. Public cloud protection
Using Kaspersky Security for Windows Server
Chapter 1. Introduction
Chapter 2. Real-Time Protection
Chapter 3. Anti-Cryptor and Host Blocker
Chapter 4. Applications Launch Control
KL 020.10.5: Kaspersky Hybrid Cloud Security. Public cloud protection

Main functions of
Kaspersky Security 10.1 for Windows Server
• It protects the server file system
• Controls the programs started on the server
• Controls connection of devices to the server
• Protects remote desktop sessions
• Protects storages against malware and file-encrypting ransomware
• Analyzes operating system logs and monitors file operations
• Sends events to SIEM

Advantages of Kaspersky Security 10.1 for Windows Server
• Stability
— KSWS 10.1 is designed for server operating systems, and is tested accordingly
— Microsoft®, Citrix®, VMware® certified
— Does not require a restart when installed or upgraded
• Performance
— The components are optimized for protecting a server from contemporary threats
— Optimized for server operating systems
— Flexible protection settings
• Various corporate scenarios are supported
— Installation on Windows Server in the Core mode
— Seamless operation on a terminal server
— Operation on a failover cluster
— Protection for network-attached storages
— SNMP support

Specifics of Kaspersky Security 10.1 for Windows Server
• Installation on Windows Server in the Core mode
• Detection of malicious encryption in shared folders and storages
• If malicious activity is detected in a shared folder, the respective user session can be blocked
• Remote Desktop Services users are notified of malicious objects in their terminal sessions
• Failover cluster support

How malware gets on a computer
Via a browser:
— Drive-by downloads (without the user’s consent)

— Fraudulently
Via email:
— In an attachment, which the user opens

— Links to malicious websites in the message body
Via removable drives
— That have been infected intentionally
From other infected computers over the network:
— The user copies a file from a shared folder

— Malware attacks vulnerable services and programs on the
user’s computer

What does malware do on a computer?
Downloads new malware

С&C
Encrypts files and demands a ransom
— Gets the password from the control center (or sends it there)
Steals credit card data and passwords
— Sends them to the control center
Attacks other computers
— Receives commands from the control center
Makes trouble: the computer runs really slow, hangs, restarts

How KSWS 10.1 protects against threats
Web Threat Protection
Web Threat Protection
— Blocks attempts to download malicious files
— Blocks malicious websites
— Blocks phishing websites
Mail Threat Protection

Memory — Blocks infected attachments and messages
— Exploit Prevention
— Renames executable files
— Blocks phishing messages
Drive
— File Threat
— File Threat
Protection Firewall
Protection — Virus Scan
— Virus Scan
Storage — Prohibits unnecessary connections
protection
File Threat Protection and Virus Scan
Firewall Mail Threat
— Find threats on the drive, in the boot sectors, containers,
Protection
RAM, and removable drives
Storage protection
— Detects infected files on storages
— Blocks malicious encryption

Protection components of
Server and server file Terminal session protection Software and hardware Storage protection
system protection components control components components
components
Real-time file protection Real-time file protection Applications Launch Control ICAP-network storage protection
Script monitoring Web anti-virus Device Control RPC-network storage protection
Kaspersky Security Network Mail anti-virus Anti-Cryptor for NetApp
Web control
Untrusted hosts blocking
Exploit prevention
File integrity monitor
Log Inspection
Firewall Management
• Kaspersky Security Network Usage—Real-Time Protection,

— Components that were included in the previous version Traffic Security, and Applications Launch Control interact
with the KSN cloud services through a dedicated component
— Components developed for the new version in KSWS
Management and monitoring components of
Administration components Monitoring components
Administration Console SNMP support
Command Line Utility—kavshell.exe Performance Counters
Management plugin for Kaspersky Security Center Integration with SIEM
Kaspersky Security Icon*
— Components that were included in the previous version

— Components developed for the new version • Kaspersky Security Icon—enhanced functionality. You can enable tracing in the product

Schema of protection processes’ interaction in KSWS 10.1
• kavfs.exe
• kavfswp.exe
• klam.sys kavfs.exe
• klfltdev.sys
• klwtpee.sys
• klramdisk.sys
kavfswp.exe kavfswh.exe kavfswp.exe kavfswp.exe

Real-time
protection
task Exploit Prevention Update
Device Control Traffic Security On-Demand Scan
System Add-in for Outlook
inspection
klam.sys klfltdev.sys klwtpee.sys klramdisk.sys
File system

Services added to the system during KSWS 10.1 installation
Kaspersky Security Service (KAVFS)—the main

service. It manages tasks and working processes
Kaspersky Security Management Service
(KAVFSGT)—the service for managing KSWS 10.1
via Kaspersky Security 10.1 Console
Kaspersky Security Exploit Prevention Service
(kavfsslp)—the service of the exploit prevention
component

KSWS 10.1 licensing
Kaspersky Kaspersky Kaspersky Kaspersky Endpoint Kaspersky Kaspersky
Targeted Security Targeted Security Security for Security for Endpoint Security Endpoint Security
for Storage for File Server Business Total Business Advanced for Business for Business Basic
Select (by subscription)
Real-Time File Protection + + + + + +

Exploit Prevention + + + + + +
Firewall Management + + + + + +
Anti-Cryptor + + + + + +
File integrity monitor + +
Log Inspection + +
Application Control + + + +
Device Control + + + +
Traffic Security—Web AV + + + +
Traffic Security—Mail AV + + + +
Traffic Security—Web control + + + +
Traffic Security—External proxy + +
Storage protection + Storage anty-cryptor +
KSWS 10.1 for Storage licenses
Kaspersky Targeted Security: Security for Storage

The number of 100- 150- 250- 500- 1,000- 1,500- 2,500-
10-14 15-19 20-24 25-49 50-99 5,000+
users 149 249 499 999 1,499 2,499 4,999
• Kaspersky Targeted Security: Security for Storage is licensed by the number of users connected to
the storage
• You can activate several KSWS 10.1 servers with a single license
• Users’ read/write/execute permissions are of no importance

KSWS 10.1 system requirements
Operating systems Virtual platforms
— Microsoft Windows Server 2016 — Microsoft Hyper-V Server 64-bit
— Essentials / Standard / Datacenter — 2008 / 2008 R2 / 2008 R2 SP1 / 2012 / 2012 R2 / 2016
— Microsoft Windows Server 2012 R2

— Foundation / Essentials / Standard / Datacenter
— Microsoft Windows Server 2012

— Foundation / Essentials / Standard / Datacenter Minimum system requirements
— Microsoft Windows Server 2008 R2 — 1 Сore 1.4 GHz processor
— Foundation / Standard / Enterprise / Datacenter
— 1 GB RAM (512 KL RAM Disk)
— Microsoft Windows Server 2008 32-bit / 64-bit
— Standard / Enterprise / Datacenter — 4GB of free disk subsystem space
These requirements depend on the environment configuration
Microsoft Windows Server 2003 R2 32-bit / 64-bit*
Microsoft Windows Server 2003 32-bit / 64-bit*
*Is not officially supported by Microsoft


Which objects Real-Time Protection safeguards
— The Real-Time File Protection task
Real-Time File Protection protects files, Windows containers
including Docker and Windows
Subsystem for Linux, alternate
NTFS streams, MBR
Windows
Files Server 2016 — You can disable Real-Time File
Container files Protection if
— Applications Launch Control is configured
— A full scan task is run periodically
Alternative file
system threads MBR
(NTFS threads)

How KSWS 10.1 scans files
Kaspersky Security
Network
File Threat Protection scans files on the drive when the user or
a program accesses them
A virus scan task scans files on the specified schedule

Emulation
Malware signatures
environment
Components detect dangerous programs using:
Anti-Malware Engine
— A local database of malware signatures
File Threat — Emulated file start in a sandbox
Virus Scan
Protection — Kaspersky Security Network reputation database
The emulator helps to detect polymorphous threats
Kaspersky Security Network helps to:

Driver
— Detect new threats
— Exclude known good files
Drive

Different parameters for different areas
— KSWS 10.1 allows you to
specify individual scanning
parameters for any object,
even a specific file

Configuring exclusions
— Exclusions are specified in
the policy. They apply to
— Real-time protection
— On-demand scanning
— Web threat protection
— You can exclude a

— Drive
— Folder
— File
— Specify the verdict to

improve security

How Kaspersky Security Network works in KSWS 10.1
Kaspersky Security Kaspersky Security — A special KSWS 10.1 component is

Center Network responsible for the integration with KSN
— This component creates the KSN Usage task
— The KSN Usage task receives clean objects
from the scan tasks and sends a request to
Kaspersky Security 10.1 KSN
for Windows Server — If KSN answers that the object is untrusted,
KSN Proxy the KSN Usage task takes the configured
port 13111 action:
— Remove
— Log information
— Only the MD5 checksum of the objects is

Real-Time File Protection Applications Launch Control sent to the KSN servers
On-Demand Scan Network Storage Protection
Traffic Security

How to enable KSN
— In KSWS 10.1 policy
— Accept the agreement
about data transfer to KSN
— In the Administration
Server properties
— Make sure that the KSN
proxy is enabled

How to enable KSN
— Select to use KSC as KSN
Proxy
— Run the task


Blocking user sessions where suspicious activities are
detected
— Blocks untrusted user sessions
Kaspersky Security 10.1 based on the respective list or
for Windows Server heuristic analysis
— Untrusted hosts are computers
from which malicious or encryption
activities have been undertaken
Real-Time — By default, a computer is blocked
Protection for 30 minutes; this time is
configurable
Anti-Cryptor

Blocking user sessions where suspicious activities are
detected
— Blocks untrusted user sessions
Kaspersky Security 10.1 based on the respective list or
for Windows Server heuristic analysis
from which malicious or encryption
activities have been undertaken
Real-Time — By default, a computer is blocked
Protection for 30 minutes; this time is
configurable
Anti-Cryptor

How the list of untrusted computers is filled
KSWS 10.1 policy: Real-time
protection — The Real-Time File Protection
task detects computers that try
to copy malicious objects to a
server shared folder and adds
them to the list
Real-Time User’s session is

Protection blocked

How the list of untrusted computers is filled
KSWS 10.1 policy: Anti-Cryptor — The Anti-Cryptor task detects the

user sessions that try to encrypt
files in a server shared folder and
adds them to the list
User’s session is
Anti-Cryptor
blocked

How to configure
additional protection
Configure Real-Time File Protection
for shared folders on a — By default, the Real-
server Time File Protection
task only detects
Configure malicious activity in
Real-Time File Protection the server shared
folders, but does not
Configure Anti-Cryptor
add computers to the
list of untrusted hosts
— To make the Real-
Time File Protection
task fill the list, select
the List hosts
showing malicious
activity as untrusted
check box in its
properties

How to configure
Enable Anti-Cryptor
for shared folders on a
server — The task is not running
by default
Configure
Real-Time File Protection — It will be started as soon
as the policy is applied
— Close the lock to
enforce this task

How to configure
Select the directories to be protected
server
— By default, Anti-Cryptor
Configure
Real-Time File Protection
protects all shared folders
on the server
— If necessary, you can
manually specify the
shared folders to be
protected

How to configure
Select the directories to be protected
server
Configure — The specified folders will

Real-Time File Protection be added to the list of
protected resources

How to configure
Add exclusions
server
Configure — You can add not only files

Real-Time File Protection and folders to the
component’s scan
exclusions, but also file
masks

How to configure
Enable Anti-Cryptor
server
Configure — The task is not running by

Real-Time File Protection default
Configure Anti-Cryptor — Schedule the task and

close the lock to enforce
the settings

How to configure the blocking period for user sessions where
suspicious activities are detected
— Blocks the listed untrusted hosts
from which malicious or
encryption activities have been
undertaken
— By default, a computer is blocked
for 30 minutes; this time is
configurable

Where to consult the list of blocked hosts in
Kaspersky Security Center
— Each server has its own list
of untrusted hosts,
aggregate data is not
available
— You can find the list in the
server properties

Where to consult the list of untrusted hosts in
Kaspersky Security 10.1 Console

How to unblock an untrusted device in
Kaspersky Security 10.1 Console
— Go to Storages, select
Blocked Host Storage, right-
click the necessary device,
and select Unblock
computer


Default Deny mode
Default Deny is an information security approach when software is prohibited to start unless it is
included in trusted (white) lists
Pros Cons
1. Minimal risk of running malicious or unwanted 1. Trusted application management
software
2. Issues might arise when you install updates or
— Unknown applications are blocked; the
environment is kept safe
patches because new software may get
blocked
— You can block software installation
2. Application version control

3. Less load on the system when compared with
a typical antivirus solution

Specifics of white lists
Kaspersky Endpoint Security 10 Kaspersky Security 10.1 for Windows Server
List of rules in the policy List of rules in the policy
KSC categories
List of Application
application
1 KSC category 1 attribute
attributes SHA
256
2 User 2 User
3 Executable file / script

3 Verdict
4 Verdict

How to configure
Applications Launch
Approaches to generating rules
Control
Select the mode for the

Applications Launch Control Only hash sums Certificates and hash sums
Draw up the list of required
applications + Hash sums cannot be spoofed – A certificate can be stolen
Create a preliminary – A separate rule for each file + A single rule for files with the same certificate
list of rules
– Must be recalculated after updating the + Certificates rarely change during an application update
Enable Applications Launch software
Control in the test mode
Adjust the Applications Launch

Control rules
Enable full-fledged
Applications Launch Control

How to configure Applications Launch Control
Kaspersky Security Center 1. Draw up the list of required applications
— Select the reference computers
Rule Generator for KSWS 10.1 policy — Create a shared folder
Applications Control task — Configure a rule generation task
— Run the task
2. Create rules in KSWS 10.1 policy
1 3 — Import the task results
3. Enable Applications Launch Control in the
KSWS 10.1 protected servers statistics mode
4. Make adjustments
— Create a selection for the test events
— Export the events
— Import the events into rules
5. Switch Applications Launch Control to the
normal mode
2
Resulting
*.xml file
Creating a rule
generation task for
The rule generation task for
Applications Launch
Control
Select the Rule Generator task — To generate rules on
type
the basis of reference
Specify the executable files’ scan computers, use a task
scope for specific computers
Configure how to create allowing
rules
Schedule the task
Specify an account
Name the task
Run the task

Creating a rule
generation task for
Applications Launch
Control
Select the Rule Generator task — Under Kaspersky Security 10.1 for
type
Windows Server, select the Rule
Specify the executable files’ scan Generator task
scope

rules
Schedule the task
Specify an account
Name the task
Run the task

Creating a rule
generation task for
Applications Launch
Control
Select the Rule Generator task — The prefix indicates
type
the origin of the rule
Specify the executable files’ scan
scope — You can delete all the
default scan areas
rules and add
%SystemDrive% to
Schedule the task
the scan scope to
Specify an account ensure that nothing is
overlooked
Name the task
Run the task — It is desired to control

all file types
With these settings, the
task will scan the whole
system drive

Creating a rule
generation task for
Applications Launch
Control
Select the Rule Generator task — Secure rules
type
— SHA256 hash sum
Specify the executable files’ scan — Certificate thumbprint
scope
— Insecure rules
— Certificate subject
rules
— Path
Schedule the task
— Rules are created for one user
Specify an account or group
Name the task
— An existing folder must be
Run the task specified in the following
format:
— \\Server\Folder_Name\
Or
— \\Server\Folder_Name\rules.xml

Creating a rule
generation task for
Applications Launch
Control
Select the Rule Generator task — Scheduling is not necessary
type
— Specify the account that has
scope the Write permission for
the selected shared folder
rules
Schedule the task
Specify an account
Name the task
Run the task

Creating a rule
generation task for
Applications Launch
Control
Select the Rule Generator task — Name the task
type
— Finish the wizard
scope

rules
Schedule the task
Specify an account
Name the task
Run the task

How to configure
Applications Launch
Task results
Control

Applications Launch Control — Rules—the file name
specified in the task
applications properties
Create a preliminary
— SECURITY-CENTER—
list of rules the name of
the scanned computer
Enable Applications Launch
Control in the test mode — 20180425—the scanning
date
Control rules — 205240_276—the scan
start time
Enable full-fledged

How to configure
Applications Launch
How to import rules to a policy
Control
Select the mode for the — Files are imported one at a time
— Import options:
Draw up the list of required — Merge with existing rules
applications — Add to existing rules
— Replace existing rules
list of rules


Control rules
Enable full-fledged

1. Draw up the list of required applications
Kaspersky Security Center — Select the reference computers
— Create a shared folder
Event selection KSWS 10.1 policy — Configure a rule generation task
— Run the task
Event — Import the task results
3 4 selection
export 3. Enable Applications Launch Control in the statistics
mode
4. Make adjustments
KSWS 10.1 protected servers
5. Switch Applications Launch Control to the normal
mode

How to configure
Applications Launch
Enable Applications Launch Control
Applications Launch Control — Select the Statistics
Only mode
applications
— Select which objects are
to be controlled
list of rules — Executable files
— DLL modules
Enable Applications Launch — Scripts and MSI packages
— Select the Run by
Adjust the Applications Launch schedule check box and
Control rules set Frequency to At
application launch
Enable full-fledged
— Close the locks

How to configure
Applications Launch
Create a selection of events
Control

Applications Launch Control — You can make a
selection of test events
applications
— An event contains
Create a preliminary — User name
list of rules — File name and path
— Checksum
— Certificate data

Control rules
Enable full-fledged

How to configure
Applications Launch
Export the events
Control

Applications Launch Control — Events are saved
to a text file
applications
— The file format is
of no importance
list of rules


Control rules
Enable full-fledged

How to configure
Applications Launch
Import events from the KSC report
Control

Applications Launch Control — Rules are created on the
basis of
Draw up the list of required — Certificate
applications — SHA-256, if there is no certificate
Create a preliminary — The default user is Everyone

list of rules


Control rules
Enable full-fledged

How to configure
Applications Launch
Create rules from KSC events
Control

Applications Launch Control — You can generate rules on
the basis of KSC events
applications
list of rules


Control rules
Enable full-fledged

How to configure
Applications Launch
Create rules from KSC events
Control

Applications Launch Control — You can generate rules on
the basis of KSC events
applications
list of rules


Control rules
Enable full-fledged

How to configure
Applications Launch
Specify the KSC Server and event types
Control

Applications Launch Control — Rules are created based on
events of the following types:
applications — Statistics Only: Application launch
denied
— Application launch denied
list of rules — Specify the Administration
Server connection parameters
— Select a timespan
Control rules
Enable full-fledged

How to configure
Applications Launch
Automatically generated files
Control

Applications Launch Control — There is no permanent
checksum
applications
— There is no digital
signature
list of rules
— Can be allowed on the
Enable Applications Launch basis of
Control in the test mode — Path
— Path and user
Control rules
Enable full-fledged

1. Draw up the list of required applications
Kaspersky Security Center — Select the reference computers
— Create a shared folder
Event selection KSWS 10.1 policy — Configure a rule generation task
— Run the task
— Import the task results
5
3. Enable Applications Launch Control in the
statistics mode
KSWS 10.1 protected servers 4. Make adjustments

5. Switch Applications Launch Control to the
active mode

How to configure
Applications Launch
Enable Applications Launch Control
Control

Applications Launch Control — Select the Active mode
applications
list of rules


Control rules
Enable full-fledged

An alternative to Real-Time File Protection
— Prohibit starting the files that
KSN considers to be untrusted
— The KSN component must be
running
— The KSN verdict has a higher
priority than the rules
— The KSN component can delete
the files that have a bad
reputation

KL 020.11 Khcs Ksws en v1.0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

KL 020.11 Khcs Ksws en v1.0

Uploaded by

Copyright:

Available Formats

Kaspersky Hybrid Cloud Security.

Technical Training KL 020.10.5

KL 020.10.5: Kaspersky Hybrid Cloud Security. Public cloud protection

KL 020.10.5: Kaspersky Hybrid Cloud Security. Public cloud protection

KL 020.10.5: Kaspersky Hybrid Cloud Security. Public cloud protection

KL 020.10.5: Kaspersky Hybrid Cloud Security. Public cloud protection

— Drive-by downloads (without the user’s consent)

— In an attachment, which the user opens

Via removable drives

— That have been infected intentionally

From other infected computers over the network:

— The user copies a file from a shared folder

KL 020.10.5: Kaspersky Hybrid Cloud Security. Public cloud protection

Downloads new malware

Steals credit card data and passwords

— Sends them to the control center

Attacks other computers

— Receives commands from the control center

Makes trouble: the computer runs really slow, hangs, restarts

KL 020.10.5: Kaspersky Hybrid Cloud Security. Public cloud protection

Mail Threat Protection

KL 020.10.5: Kaspersky Hybrid Cloud Security. Public cloud protection

Script monitoring Web anti-virus Device Control RPC-network storage protection

Kaspersky Security Network Mail anti-virus Anti-Cryptor for NetApp

File integrity monitor

• Kaspersky Security Network Usage—Real-Time Protection,

Administration Console SNMP support

Command Line Utility—kavshell.exe Performance Counters

Management plugin for Kaspersky Security Center Integration with SIEM

Kaspersky Security Icon*

— Components that were included in the previous version

KL 020.10.5: Kaspersky Hybrid Cloud Security. Public cloud protection

kavfswp.exe kavfswh.exe kavfswp.exe kavfswp.exe

klam.sys klfltdev.sys klwtpee.sys klramdisk.sys

KL 020.10.5: Kaspersky Hybrid Cloud Security. Public cloud protection

Kaspersky Security Service (KAVFS)—the main

KL 020.10.5: Kaspersky Hybrid Cloud Security. Public cloud protection

Real-Time File Protection + + + + + +

Kaspersky Targeted Security: Security for Storage

KL 020.10.5: Kaspersky Hybrid Cloud Security. Public cloud protection

— Microsoft Windows Server 2012 R2

— Microsoft Windows Server 2012

*Is not officially supported by Microsoft

KL 020.10.5: Kaspersky Hybrid Cloud Security. Public cloud protection

KL 020.10.5: Kaspersky Hybrid Cloud Security. Public cloud protection

A virus scan task scans files on the specified schedule

The emulator helps to detect polymorphous threats

Kaspersky Security Network helps to:

KL 020.10.5: Kaspersky Hybrid Cloud Security. Public cloud protection

KL 020.10.5: Kaspersky Hybrid Cloud Security. Public cloud protection

— You can exclude a

— Specify the verdict to

KL 020.10.5: Kaspersky Hybrid Cloud Security. Public cloud protection

Kaspersky Security Kaspersky Security — A special KSWS 10.1 component is

— Only the MD5 checksum of the objects is

KL 020.10.5: Kaspersky Hybrid Cloud Security. Public cloud protection

KL 020.10.5: Kaspersky Hybrid Cloud Security. Public cloud protection

KL 020.10.5: Kaspersky Hybrid Cloud Security. Public cloud protection

KL 020.10.5: Kaspersky Hybrid Cloud Security. Public cloud protection

KL 020.10.5: Kaspersky Hybrid Cloud Security. Public cloud protection

KL 020.10.5: Kaspersky Hybrid Cloud Security. Public cloud protection

Real-Time User’s session is

KL 020.10.5: Kaspersky Hybrid Cloud Security. Public cloud protection