Professional Documents
Culture Documents
Endpoint Security PoC Guide PDF
Endpoint Security PoC Guide PDF
Endpoint Security PoC Guide PDF
Endpoint Security
Proof of Concept Guide
29.12.2017
Endpoint Security Proof of Concept Guide Page 1 of 78
Kaspersky Enterprise Cybersecurity
Introduction ...................................................................................................................................................................3
Who should use this guide? ......................................................................................................................................3
What is Endpoint Security? .......................................................................................................................................3
What are the components of Endpoint Security? ......................................................................................................4
Prepare the environment ..............................................................................................................................................8
Review the requirements ...........................................................................................................................................8
Download required files .............................................................................................................................................9
Configure network ...................................................................................................................................................10
Check accounts rights and permissions ..................................................................................................................11
Setup and deploy ........................................................................................................................................................11
Kaspersky Security Center 10 .................................................................................................................................11
Kaspersky Endpoint Security 11 .............................................................................................................................22
Kaspersky Security 10 for Windows Servers ..........................................................................................................28
Kaspersky Endpoint Security 10 for Linux ...............................................................................................................33
Activation .................................................................................................................................................................38
Update .....................................................................................................................................................................38
Capability scenarios ....................................................................................................................................................38
Antimalware protection for workstations (KES) .......................................................................................................38
Antimalware protection for servers (KSWS, KESL) ................................................................................................50
Data protection for Desktops (KES) ........................................................................................................................56
Desktop controls ......................................................................................................................................................64
Conclusion ..................................................................................................................................................................73
Appendix A: POC success criteria ..............................................................................................................................74
Appendix B: Further Reading .....................................................................................................................................76
Appendix C: Ransomware emulation script ................................................................................................................77
Appendix D: AMSI demonstration scripts ...................................................................................................................78
Introduction
Who should use this guide?
This guide is built to help you quickly deploy and configure Kaspersky Endpoint Security (hereinafter KES) for
evaluation. It guides you through detailed scenarios in a proof of concept environment to help you better
understand how the solution works. The instructions provide an evaluation method to the most common use cases
for endpoint security. The target audience includes KL’s presales engineers and 3rd parties willing to evaluate KES
products.
Kaspersky Endpoint Security 11 for Windows – Endpoint protection for Windows desktops;
Kaspersky Endpoint Security 10 for Linux – Endpoint protection for Linux desktops and servers;
Kaspersky Security 10 for Windows Servers – Endpoint protection for Windows servers and 3rd party ICAP
capable systems;
Kaspersky Security Center 10 – Centralized management for Endpoint Security products.
KSN
Kaspersky Lab Update servers
Network Kaspersky ®
Agent
Workstation Endpoint Security
Network Kaspersky ®
Events
Security Reporting
Center
Kaspersky ®
Network Kaspersky ®
Kaspersky Security Center (KSC) is designed for centralized execution of basic administration and maintenance
tasks in an organization's network. The application provides the administrator with access to detailed information
about the organization's network security level; it lets you configure all the components of protection based on
Kaspersky Lab applications.
Administration server. Centralized storage of information about installed applications and management.
Network Agent. The component coordinates the interaction between administration server and Kaspersky
Lab applications installed on a workstation or server.
Administration Console. Microsoft Management Console (MMC) Snap-in, provides GUI interface to
manage Administration Server and Network Agent.
Kaspersky Endpoint Security (KES) provides comprehensive computer protection against various types of
threats, network and phishing attacks. Each type of threat is handled by a dedicated component. Components can
be enabled or disabled independently of one another, and their settings can be configured.
NEW! Integrated Endpoint Sensors component of Kaspersky Anti Targeted Attack Platform (KATA) to
provide Endpoint Detection and Response capabilities (EDR):
IoC scanner
This feature is out of scope for this guide. For more information please contact ESIG team at
ESIG@kaspersky.com.
NEW! System Watcher for Servers and Desktops. This component keeps a record of application activity
on the computer and provides this information to other components to ensure more effective protection of
the computer.
NEW! Lightweight mode for Threat Protection (Cloud mode). Light antivirus databases with enabled
KSN (require less RAM and drive space)
Importing/Exporting the list of trusted devices (in xml format which is convenient for reading/editing
manually)
File Anti-Virus. This component protects the file system of the computer from infection. File Anti-Virus
starts together with Kaspersky Endpoint Security, continuously remains active in computer memory, and
scans all files that are opened, saved, or started on the computer and on all connected drives. File Anti-
Virus intercepts every attempt to access a file and scans the file for viruses and other threats.
Mail Anti-Virus. This component scans incoming and outgoing email messages for viruses and other
threats.
Web Anti-Virus. This component scans traffic that arrives on the user's computer via the HTTP and FTP
protocols, and checks whether URLs are listed as malicious or phishing web addresses.
Firewall. This component protects data that is stored on the computer and blocks most possible threats to
the operating system while the computer is connected to the Internet or to a local area network. The
component filters all network activity according to rules of two kinds: network rules for applications and
network packet rules.
Network Monitor. This component lets you view network activity of the computer in real time.
Network Attack Blocker. This component inspects inbound network traffic for activity that is typical of
network attacks. Upon detecting an attempted network attack that targets your computer, Kaspersky
Endpoint Security blocks network activity from the attacking computer.
Application Startup Control. This component keeps track of user attempts to start applications and
regulates the startup of applications.
Host Intrusion Prevention System (HIPS) or Application Privilege Control. This component registers
the actions of applications in the operating system and regulates application activity depending on the trust
group of a particular application. A set of rules is specified for each group of applications. These rules
regulate the access of applications to user data and to resources of the operating system. Such data
includes user files (My Documents folder, cookies, user activity information) and files, folders, and registry
keys that contain settings and important information from the most frequently used applications.
Device Control. This component lets you set flexible restrictions on access to data storage devices (such
as hard drives, removable drives, tape drives, and CD/DVD disks), data transmission equipment (such as
modems), equipment that converts information into hard copies (such as printers), or interfaces for
connecting devices to computers (such as USB, Bluetooth, and Infrared).
Web Control. This component lets you set flexible restrictions on access to web resources for different
user groups.
Kaspersky Security 10 for Windows Server (KSWS) protects servers running on Microsoft® Windows®
operating systems and network attached storages against viruses and other computer security threats to which
servers are exposed through file exchange.
Terminal servers
Print servers
Application servers
Domain controllers
Servers that are protecting network attached storages
File servers – these servers are more likely to get infected because they exchange files with user
workstations.
Server Control. KSWS monitors all attempts to access network file resources, enables Applications
Launch Control, and blocks access to the server for remote computers if they show malicious or encryption
activity.
RPC-Network Storage Protection and ICAP-Network Storage Protection. KSWS installed on a server
under a Microsoft Windows operating system protects network attached storages against viruses and other
security threats that infiltrate the server through exchange of files.
On-demand scan. KSWS runs a single scan of the specified area for viruses and other computer security
threats. KSWS scans server files and RAM and also startup objects.
Databases and software modules update. KSWS downloads updates of application databases and
modules from FTP or HTTP update servers of Kaspersky Lab, Kaspersky Security Center Administration
Server, or other update sources.
Quarantine. KSWS quarantines probably infected objects by moving such objects from their original
location to Quarantine. For security purposes, objects are stored in Quarantine in encrypted form.
Backup. KSWS stores encrypted copies of objects classified as Infected or Probably infected in Backup
before disinfecting or deleting them.
Administrator and user notifications. You can configure the application to notify the administrator and
users who access the protected server about events in KSWS operation and the status of Anti-Virus
protection on the server.
Importing and exporting settings. You can export Kaspersky Security settings to an XML configuration
file and import settings into Kaspersky Security from the configuration file. All application settings or only
settings for individual components can be saved to a configuration file.
Applying templates. You can manually configure the security settings of a node in the server file
resources tree and save the values of the configured settings to a template. This template can then be
used to configure the security settings of other nodes in Kaspersky Security protection and scan tasks.
Writing events to the event log. KSWS logs information about the settings of application components, the
current status of tasks, events that occurred during their run, events associated with KSWS management,
and information required for failure diagnostics in the KSWS operation.
Hierarchical storage. Kaspersky Security can operate in hierarchical storage management mode (HSM
systems). HSM systems allow data relocation between fast local drives and slow long-term data storage
devices.
Trusted zone. You can create a list of exclusions for protection scope or scan scope which KSWS applies
to On-Demand Scan, Real-Time File Protection, Script Monitoring, and RPC-Network Storage Protection.
Managing permissions. You can configure the rights of managing KSWS and the rights of managing
Windows services that are registered by the application, for users and groups of users.
Kaspersky Endpoint Security 10 for Linux (KESL) protects computers running Linux® operating systems
against malware. Threats can infiltrate the system via network data transfer channels or from removable drives.
Scan file system objects located on the computer's local drives, as well as mounted and shared resources
accessed via the SMB and NFS protocols. The application can scan file system objects both in real time
using real-time protection tasks and on demand using on-demand scan tasks.
Detect infected objects. If an object is found to contain code from a known virus, KESL considers the object
as infected.
Neutralize threats detected in files. Depending on the type of threat, the application automatically chooses
the action to be performed in order to neutralize the threat.
Save backup copies of files before disinfection or deletion and restore files from backup copies.
Manage tasks and configure their settings. You can manage the real-time protection task, on-demand scan
task, boot sector scan task, process memory scan task, update task, update rollback task, and update
distribution task.
Add keys, activate the application using activation codes, and use the application based on a subscription.
Notify the administrator about events occurring during the operation of KESL.
Update KESL databases from Kaspersky Lab update servers, via the Administration Server, or from a
user-specified source by schedule or on demand. The application uses anti-virus databases to detect and
disinfect infected files. KESL analyzes each file for threats during the scan process: file code is matched
against code that resembles a particular threat.
HDD, GB 10 TBA 4 1 1
Please note that RAM and CPU requirements of the Network Agent, Administration Server and Administration
Console are the minimum requirements for installation of these components. It is recommended that you use
computers with a larger amount of RAM and a greater CPU frequency.
Software requirements
Linux OS:
The glibc.i686 module must be installed to Red Hat® Enterprise Linux® 7 or later, CentOS 7 or later, and
Oracle Linux 7 or later prior to installing Network Agent.
The glibc-32bit module must be installed to 64-bit versions of openSUSE® 42.2 and SUSE® Linux Enterprise
Server 12 prior to installing Network Agent.
The libc6-i386 module must be installed to 64-bit versions of Debian and Ubuntu prior to installing Network
Agent.
Before installing Kaspersky Security 10 for Windows Servers, remove third-party antivirus software from the
server. Kaspersky Security 10 for Windows Servers can be installed on top of Kaspersky Anti-Virus 8.0 for
Windows Servers Enterprise Edition
For installation and correct operation of KSWS, Microsoft Windows Installer 3.1 must be installed on the
server.
The link for distributive of KES 11 will be available in Q1 2018 and added to this document. So far please use files
for Kaspersky Endpoint Security 11 beta:
The installer contains encryption tools which use the AES cryptographic algorithm with the effective key length
of 256 bit. The installer must be downloaded and used in accordance with local legislation.
KSC management plugin: klcfginst.msi (requires Visual C++ 2015 Redistributable to be installed on the
administration server).
Configure network
To be able to use all the features of Endpoint Security described in this guide, make sure the following ports are
open on the hosts:
Please note that this is the list of ports necessary to be open for the POC purposes only. For the full list of
required ports navigate through the link: https://support.kaspersky.com/9297#block1
13291 TCP Required for the SSL connection between the Administration Console and the
Administration Server.
17000 TCP Required for secure SSL connection to the activation proxy server.
15000 UDP Used for receiving a request for connection to the Administration Server, which
allows receiving the information about the computer in the real-time mode.
If you do not plan to install KESL via KSC and Network Agent, you must have root privileges on the computer on
which you are installing the product.
Local installation Local administrator Local administrator root Administrator Local administrator
Remote
N/A Local administrator − − Local administrator
installation
If you plan on using a different user account as a default account for running the services of Kaspersky
Security Center, you must add it to the KLAdmins group after installing the product.
Administration server
Congratulations! You have install the Administration Server and Administration Console.
On the first run of Administration Console after the installation of the Administration server you will be prompted to
add a license key for Kaspersky Security Center and create or import the policies for the applications. You can
proceed with the wizards or cancel these steps.
Please note this steps could be slightly updated when KES 11 release will be available in Q1 2018.
Network Agent (Kaspersky Security Center Administration Agent) can be installed locally or remotely by means of
KSC. This section shows the remote installation of a network agent.
After the task completes you will have network agents installed on the target devices.
At the moment, KSC doesn’t support remote installation of Network Agent on Linux OS. However, it is possible to
do if SSH daemon is up and running on the target VMs.
To perform remote installation via SSH you will be needed the Putty utilities package to be installed on the KSC
server.
Create the .bat script, for example install.bat and paste the following content in it:
set COMP=[target computer IP address]
set PW=[password for root]
"C:\Program Files\PuTTY\plink.exe" -pw %PW% root@%COMP% "wget -P /home/root
http://[ksc_ip_address]:8060/Public/klnagent-10.1.1-18.i386.rpm"
"C:\Program Files\PuTTY\plink.exe" -pw %PW% root@%COMP% "wget -P /home/root
http://[ksc_ip_address]:8060/Public/answer.txt"
"C:\Program Files\PuTTY\plink.exe" -pw %PW% root@%COMP% "rpm -i /home/root/klnagent-
10.1.1-18.i386.rpm"
"C:\Program Files\PuTTY\plink.exe" -pw %PW% root@%COMP%
"/opt/kaspersky/klnagent/lib/bin/setup/postinstall.pl < /home/root/answer.txt"
In this document plink.exe utility is used for remote command execution (ssh client analog for Windows). To be able
to carry out commands on a remote PC the utility needs a user account (root in this case), its password (-pw flag)
and the target host name or IP address (COMP variable).
To deploy network agent on several VMs you have to modify script to include FOR loop statement and go through
the list of VMs.
Optionally you can configure password-less SSH access to VMs using public key authentication in order to avoid
password specification in the script.
The first two commands start the wget utility on the target machine which downloads the necessary files from KSC
web-server to the /home/user folder (-P flag). After this, Network Agent is installed.
Right after the installation, the post-install script starts and is provided with answers from answer file (answer.txt):
ksc.testlab.local
14000
13000
Y
1
Each line of this file contains the information requested by the Network Agent setup script:
This section describes the remote installation using remote installation task. First you will create an installation
package, then proceed with the task.
14. If you skip adding the key you will see the
following warning.
This chapter describes the remote installation using remote installation task. First you will create an installation
package, then proceed with the task.
If you didn’t select application management plugin to be installed during the Administration Server installation,
please install it. To do it run klcfginst.exe that is located within the application distributive.
In order to be able to manage the application remotely you have to create application security policy. If there is
no policy created, create one with default parameters.
Ubuntu: https://help.ubuntu.com/community/AppArmor#Disable_AppArmor_framework
Debian: https://wiki.debian.org/AppArmor/HowToUse
CentOS/RHEL: https://wiki.centos.org/HowTos/SELinux#head-430e52f7f8a7b41ad5fc42a2f95d3e495d13d348
Activation
You can activate application within the deployment process. If you didn’t do this you can add a license key later
with an activation task. For each application described in this guide the task name slightly differs. For KES for
Windows and KES for Linux the task’s name is Add key and for the KSWS the task name is Activation of
Application.
Update
After the installation of Endpoint Security applications (KES 11 for Windows, KES 10 for Linux and KSWS 10) you
must create the update tasks for each application and do bases update in order to ensure the use of the latest
bases and signatures.
Capability scenarios
The following scenarios are designed to help you experience the key features of Endpoint Security. They highlight
the most important new functionality and take you through how you can use these features in your own case. You
can go through them in order or start with the one that is interested for you at most. They can be demonstrated in
any order at any time.
The steps included in «Setup and deploy» section are mandatory to proceed with this scenarios:
The Antimalware Scan Interface (AMSI) is a generic interface standard that allows applications and services to
integrate with any antimalware product present on a machine. It provides enhanced malware protection for users
and their data, applications, and workloads.
AMSI is antimalware vendor agnostic, designed to allow for the most common malware scanning and protection
techniques provided by today's antimalware products that can be integrated into applications. It supports a calling
structure allowing for file and memory or stream scanning, content source URL/IP reputation checks, and other
techniques (source: https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx)
KES 11 supports AMSI. In this scenario you will see how KES uses AMSI to detect malware in obfuscated
PowerShell scripts.
Evaluation steps:
Expected results:
Instructions:
You have shown how the script execution is intercepted with AMSI and a malicious action is prevented by KES 11.
Exploits prevention
This scenario shows the exploit prevention capabilities of Kaspersky Endpoint Security 11. The scenario requires
specific environment which is described below. During this scenario you will use Metasploit framework in order to
try to exploit two different vulnerabilities using the following modules:
Environment description:
OS:
Windows 7 SP1 x86 (32-bit, build 7601)
Installed applications:
JRE 1.6
MS Office 2007
Metasploit framework (https://windows.metasploit.com/metasploitframework-latest.msi)
Evaluation steps:
1. Prepare environment
2. Disable file threat protection
3. Install Metasploit framework
4. Exploit Vulnerabilities
5. Check the results
Expected results:
Instructions:
5. Execute command:
use
exploit/windows/fileformat/ms12_027
_mscomctl_bof
6. Execute command:
7. Execute command:
8. Execute command:
run
use
exploit/windows/browser/ie_cgeneric
element_uaf
run
Congratulations! You have just shown how KES 11 prevents the exploitation of vulnerabilities.
Web threat protection component ensures you that the workstation is protected from different web threats including
malicious web-resources, malware and ransomware. In order to ensure that “Web threat protection” component is
enabled test phishing page will be tried to access from a web browser. As a result a banner with an alert will be
shown in the browser’s window.
Evaluation steps:
Expected results:
Instructions:
http://www.kaspersky.com/test/wmuf
or
http://malware.wicar.org/data/vlc_amv.html
Anti-Bridging
Anti-bridging feature in KES 11 denies the use of a network interface in case there is another active network
interface presents in the system. Thus you cannot create network bridge between enabled and disabled interfaces.
This scenario shows how to enable anti-bridging feature and how it affects the system. In this how to, you will see
how to deny the use of second Ethernet connection.
Evaluation steps:
Expected results:
The use of second network interface is denied by Anti-Bridging feature. One of the network interfaces becomes
disabled after enabling the feature.
Instructions:
Now you have anti-bridging enabled and configured and the user or local administrator will not be able to create a
network bridge.
This scenario demonstrates how Network Threats Protection component works and how it is configured.
Evaluation steps:
Expected results:
Instructions:
4. Detailed view.
Ransomware is one of the top threats that customers are most concerned nowadays. In this scenario servers are
protected with KSWS10 and crypto locker software is going to be executed from the remote host in order to encrypt
valuable documents in a network share.
To protect from these threats, you will configure Anti-Cryptor and Untrusted Host blocking features of KSWS10.
Evaluation steps:
1. Create network shared folder with write permissions to everyone on the protected folder and fill it with some data
(documents).
2. Map the network share as a network drive to the attacker computer.
3. Encrypt files in the share from the remote host.
4. Enable Anti-Cryptor and Untrusted Host blocking features on the protected server.
5. Try to encrypt files in the network share.
6. Check the results.
Expected results:
The encryption of the files in the network share is detected by KSWS and the access to the share is blocked for the
remote host.
Instructions:
Congratulations! You have successfully protected network shared folders on the server from ransomware.
Untrusted hosts were blocked for specified time.
The scenario shows how KSWS can be integrated with proxy server, SQUID in this case. The proxy server will
send the objects for scanning to KSWS via ICAP. Depending on the KSWS verdict proxy server will allow or block
access to the object.
For this feature to be available you have to have Kaspersky Security for storages license.
Evaluation steps:
Expected results:
Instructions:
icap_enable on
http://www.eicar.org/download/eicar.com
Evaluation steps:
Expected results:
The EICAR test virus file will deleted right after downloading by Real-time protection.
Instructions:
Full disk encryption feature protects data from being accessed by unauthorized persons in case a laptop or a hard
drive are stolen. This scenario shows how to configure full drive encryption with Kaspersky Disk Encryption
technology in KES 11.
Evaluation steps:
Expected results:
Instructions:
Congratulations! You have encrypted the hard drives with Kaspersky encryption technology.
Kaspersky Endpoint Security allows to secure sensitive data with file level encryption technology in case the data is
transferred on a removable drives. This scenario shows how to configure USB File Level Encryption with portable
file manager in order to ensure that sensitive data on the removable drive can be accessed only by authorized
person.
Evaluation steps:
Expected results:
Data can be accessed only with authorization via portable file manager.
Instructions:
You have configured the encryption policy to encrypt only files that will be added to a usb drive after applying the
policy. The files can be accessed with portable file manager.
BitLocker management
KES 11 offers the BitLocker management capability in order to provide more flexible tools for drive encryption. This
scenario shows how to configure full drive encryption feature using BitLocker Drive Encryption technology.
Evaluation steps:
Expected results:
Instructions:
Congratulations! You have encrypted the hard drives with BitLocker Drive Encryption technology.
Desktop controls
Web control
Many companies are concerned about Internet traffic consumption. When analyzing the company Internet traffic,
security administrators may want to deny users to visit social networks.
It is possible with Web control available in KES 11 application. In this evaluation scenario, we will configure blocking
access to social networks for all users.
Evaluation steps:
Expected results:
Instructions:
Action: Block
Congratulations! You have configured the Web Control feature to block the access to social networks.
Device control
This scenario shows the capability of device control component and how to deny the use of unwanted removable
drives.
Evaluation steps:
Expected results:
Instructions:
5. Details.
You have configured Device Control feature to block the use of unwanted removable drives.
This scenario demonstrate how Application startup control can blocks the launch of untrusted programs. In this
scenario you will configure default deny policy with minimum set of applications allowed to start. Then you will add
the Internet browsers to the whitelist.
Evaluation steps:
Expected results:
The launch of the application that is not in the whitelist is blocked. After adding the application to the whitelist the
launch of the application is allowed.
Instructions:
Congratulations! You have configured application Startup Control Default Deny policy and added additional
applications (the Internet browsers) to the whitelist.
Conclusion
This concludes your evaluation of the Endpoint Security. This simplified guide is intended for a quick evaluation of
the product features, using a narrow scope of work. It does not replace the Product Documentation and detailed
Deployment Guides (see Further reading section). Through this process, you have learned how to install Endpoint
Security products and demonstrate most interesting features.
1. Prepare environment
1.1 Review the requirements POC environments meets all the imposed
requirements
1.2 Configure network All required network ports are open in the
right direction
1.3 Check accounts rights and POC is performed through the accounts
permissions having sufficient privileges
2.1.1 Install Network Agent for Windows Network Agents are installed on the target
devices
2.1.2 Install Network Agent for Linux Network Agents are installed on the target
devices
2.2 Install Kaspersky Endpoint Security KES 11 for Windows is installed on the
11 for Windows target devices
2.3 Install Kaspersky Endpoint Security KES 10 for Linux is installed on the target
10 for Linux devices
2.4 Install Kaspersky Security 10 for KSWS 10 is installed on the target devices
Windows
4.2 KSWS ICAP-integration with proxy EICAR test virus file download is blocked
server
5.2 USB File Level Encryption with Files on a USB flash drive are encrypted and
portable mode can be accessed only with portable file
manager
6. Workstation controls
:Step1
if exist Z:\ goto :Step2
echo **** not exist \\ksc.testlab.local\share ****
pause
exit
:Step2
C:\AESCrypt\aescrypt.exe -e -p root Z:\*.*
if exist Z:\EULA.txt.aes goto :Step3
:Step3
del Z:\*.docx
echo **** Congratulations!!! Files are encrypted ****
pause
exit
}
Catch
{
# First invoke failed?
# Log exeception
Write-Host $_
# Return error code
Write-Host "Test failed"
exit 1
}
Try
{
# this should be blocked from bases (receiving part)
iex "#KLBssBlockMeBasesAmsi#"
Write-Host "Test failed"
exit 2
}
Catch
{
# Log exception
Write-Host $_
}
Try
{
# this should be blocked from bases (KDB scan)
iex "#KLBssBlockMeBasesKdbAmsi#"
Write-Host "Test failed"
exit 3
}
Catch
{
# Log exception
Write-Host $_
}
obfuscate_bsstest_amsi:
Import-Module ./Invoke-Obfuscation.psd1
Out-ObfuscatedStringCommand -Path bsstest_amsi.ps1 -ObfuscationLevel 3 > bsstest_amsi_obf.ps1