Professional Documents
Culture Documents
Lab Manual
Lab Manual
Scenario. You need to protect less than 100 computers with Kaspersky Endpoint Security for Business at ABC
Inc. One Administration Server and the Express edition of Microsoft SQL Server are enough for managing
protection within such a network. Install Kaspersky Security Center Administration Server on a dedicated computer
running Windows Server 2016. Microsoft SQL server has been installed on the virtual machine beforehand.
Contents. In this lab, we will:
Install the Administration Server and other Kaspersky Security Center components
Proceed through the Quick Start Wizard to configure Kaspersky Security Center
Administration Server
Install Kaspersky Security Center Administration Server with the default settings. The Web Console is
implemented as an independent component that has a separate distribution; its installer starts automatically as
soon as the KSC Administration Server installation completes.
Click Browse
Connect to the Administration Server using Kaspersky Security Center Web Console and proceed through the
Quick Start Wizard. Add an activation code. Configure notifications to administrator@abc.lab via SMTP server
10.28.0.10. Accept the KSN agreement. Download signature updates. Do not start the Remote Installation Wizard.
Enable automatic distribution for the license.
Select Workstations
and Windows
Click Next
KL 002.11.6: Lab 1.
Kaspersky Endpoint Security and Management How to install Kaspersky Security Center
Select Lite
encryption (56-bit)
Click Next
Select the
Workstations Web
plug-in of Kaspersky
Endpoint Security
Click Next
Click Next
You installed the Administration Server, Kaspersky Security Center Web Console and management plug-in for
Kaspersky Endpoint Security. Also, you completed the Quick Start Wizard: created the default tasks and
policies, accepted the KSN agreement, configured notifications for the administrator and enabled
autodistribution for the key.
Further labs will teach you how to install Kaspersky Endpoint Security and Network Agent.
KL 002.11.6: Lab 2.
Kaspersky Endpoint Security and Management How to deploy Kaspersky Endpoint Security
Scenario. You need to install Kaspersky Endpoint Security on the network computers. You have installed the
Kaspersky Security Center Administration Server already. Now, use the Remote Installation Wizard to install
Kaspersky Endpoint Security and Network Agent on the computers discovered by the Administration Server.
Install Kaspersky Endpoint Security for Windows on a workstation and Kaspersky Security Center
Administration Server
Create a stand-alone installation package for Kaspersky Endpoint Security
Install a stand-alone package of Kaspersky Endpoint Security for Windows on a laptop
Study the results of deploying protection in the network
Run the Remote Installation Wizard and select the Kaspersky Endpoint Security package. To be able to access
the computers, specify the domain administrator account ABC\Administrator and password Ka5per5Ky. Leave the
other settings unchanged.
Wait for the task to install the applications. If the task prompts you to restart a computer, act as a user and restart it.
Any third-party antivirus could be installed on the Alex computer, which may theoretically complicate
installation. However, the installation task can automatically
uninstall the third-party software.
KL 002.11.6: Lab 2.
Kaspersky Endpoint Security and Management How to deploy Kaspersky Endpoint Security
The KSC, DC, Alex-Desktop and Tom-Laptop machines must be powered on.
Go to Discovery &
Deployment |
Deployment &
Assignment |
Installation Packages
| In progress Tab
Click the link Kaspersky
Endpoint Security for
Windows
Switch to the
Application Settings
tab and open the
Network section
Open the Connectivity
settings
Set the
Synchronization
interval (min) to 3
The synchronization
interval is changed to
speed up demonstration
during our labs. We don’t
recommend that you
reduce it in the
production environment
KL 002.11.6: Lab 2.
Kaspersky Endpoint Security and Management How to deploy Kaspersky Endpoint Security
Select OK
Click Save
Select Kaspersky
Endpoint Security for
Windows in the list of
installation packages
Click Next
Select Kaspersky
Security Center 13
Network Agent
Click Next
KL 002.11.6: Lab 2.
Kaspersky Endpoint Security and Management How to deploy Kaspersky Endpoint Security
Agree to uninstall
incompatible
applications and click
Next
Agree to Move
unassigned devices
to group after the
installation, select
Managed devices
and click Next
Type the
abc\administrator
username and
Ka5per5Ky password
and click OK
Click Next
Open the list of installation packages. Select the Kaspersky Endpoint Security package. Start the stand-alone
package creation wizard. Add the Network Agent to the installation package and select the group into which
the target computers are to be moved after the installation.
KL 002.11.6: Lab 2.
Kaspersky Endpoint Security and Management How to deploy Kaspersky Endpoint Security
Configure relocation:
Select Move
unassigned devices
to this group
Click Select group
KL 002.11.6: Lab 2.
Kaspersky Endpoint Security and Management How to deploy Kaspersky Endpoint Security
Select Managed
devices
Click OK
Click Next
From the client computer, open the KLSHARE folder on the Administration Server. Find and run the stand-
alone package.
Study the results of the installation task. Make sure that the computers have been moved to the Managed devices
group. Make sure that Network Agent and Kaspersky Endpoint Security are installed on the computers.
Open Kaspersky
Security Center
Web Console
On the side menu,
select Monitoring &
Reporting | Reports
KL 002.11.6: Lab 3.
Kaspersky Endpoint Security and Management How to create a structure for the managed computers
Click Report on
Kaspersky
software versions
Make sure that it
displays three
instances of Kaspersky
Endpoint Security and
three instances of
Network Agent, exactly
the same number as
there are network
computers
Close the report
You have installed Kaspersky Endpoint Security and Network Agent using the remote installation wizard and
a stand-alone package.
If an antivirus by another manufacturer is installed on a computer, the installer will uninstall it and prompt to
restart the machine.
If a firewall is running on a computer or you haven’t specified an account that has administrative permissions on
the target machines, the installation will return an error.
Scenario. You have installed protection on the network computers and you want to configure it optimally. Assuming
that servers, desktops and laptops need different settings, create respective groups for them and move the computers
there. To save effort in hand-moving the computers into their appropriate groups, create relocation rules and configure
conditions based on the operating systems and network parameters of the computers.
Create Servers and Workstations subgroups in the Managed devices container. Then create Desktops
and Laptops subgroups within the Workstations group.
The KSC, DC, Alex-Desktop and Tom-Laptop machines must be powered on.
Create another
subgroup named
Workstations
Select the
Workstations
group and click
Add
Type Desktops
for the group
name
Repeat steps 6 and
7 to create the
Laptops group
Open the list of rules in the properties of the Unassigned devices node. Create a rule for all computers that will
work permanently and move servers to the Servers group. Use the Network agent is running condition (Yes)
and the Operating system version condition with the Windows Server 2016 value. You can find both conditions
on the Applications tab.
Create similar rules that will move computers to the Desktops and Laptops groups respectively. Instead of
the Operating system version, use the IP Range condition on the Network tab. For desktop computers,
specify range 10.28.0.100–10.28.0.199; and for laptops, 10.28.0.200–10.28.0.254.
KL 002.11.6: Lab 3.
Kaspersky Endpoint Security and Management How to create a structure for the managed computers
Go to Devices |
Managed Devices
At the top of the
page, click the path
KSC / Managed
Devices
On the group
structure tree, select
KSC | Managed
devices | Servers
KL 002.11.6: Lab 4.
Kaspersky Endpoint Security and Management How to test protection of Windows Subsystem for Linux
In a similar manner, make sure that the other computers have been moved to their respective groups
You installed protection and organized the computers into groups. The default settings are optimized for an
average user of Kaspersky Endpoint Security. They reliably protect computers and minimize the performance
impact. You can adjust the protection-comfort balance as necessary: Reinforce protection in some aspects, and
maybe make concessions in some others aiming to improve the user experience. Further labs will explain how
to fine-tune the protection settings.
Scenario. By default, Kaspersky Endpoint Security supports Windows Subsystem for Linux: It is a compatibility
layer for running Linux applications in the latest versions of Microsoft Windows. In our environment, Windows
Subsystem for Linux is based on Kali Linux 2018. We will run a test malicious file in Windows Subsystem for
Linux and make sure that Kaspersky Security for Windows Server detects and deletes it.
In this lab, we will try to compile a loader for eicar.com within Windows Subsystem for Linux that is running
under Windows 10.
KL 002.11.6: Lab 4.
Kaspersky Endpoint Security and Management How to test protection of Windows Subsystem for Linux
Press WIN+R
Type wsl
Click OK
Click Reports
This lab demonstrates how Kaspersky Endpoint Security can detect malicious files that are saved or created
within Windows Subsystem for Linux.
KL 002.11.6: Lab 5.
Kaspersky Endpoint Security and Management How to configure Mail Threat Protection
Scenario. When an administrator emails an executable file to a user who is to run it and thus solve an issue,
Kaspersky Endpoint Security renames the attachment. To save time and avoid explaining the users how to
rename them back, configure Mail Threat Protection not to rename files. At the same time, criminals often use files
with double extension to trick users into running a malicious executable disguised as a document. Such files
should be deleted.
Contents. In this lab, configure Mail Threat Protection not to rename attached *.exe files and delete files
with double extension *.pdf.exe.
Send a message to tom@abc.lab with a zipped *.pdf.exe file attached. Receive the message and make sure
that Mail Threat Protection has changed the extension of the archived file.
The KSC, DC, Alex-Desktop and Tom-Laptop machines must be powered on.
Connect to Alex-Desktop.
Open Outlook
Create a new message:
— Specify the address. In
the To: box, type
tom@abc.lab
— In the Subject: box, type
Weekly report
— Attach the
Document1.zip file to
the message
(Z:\LabFiles\Lab5)
Click Send to dispatch the
message
KL 002.11.6: Lab 5.
Kaspersky Endpoint Security and Management How to configure Mail Threat Protection
In Kaspersky Endpoint Security policy, edit the list of attachment formats that Mail Threat Protection processes.
Open Kaspersky
Security Center
Web Console
On the side menu,
select Devices |
Polices & Profiles
Open the policy of
Kaspersky
Endpoint Security
for Windows
Switch to the
Application
settings tab
Go to the Essential
Threat Protection
section
Open the Mail
Threat Protection
settings
Reconfigure
attachment filtering.
Choose Delete
attachments of
selected types
KL 002.11.6: Lab 5.
Kaspersky Endpoint Security and Management How to configure Mail Threat Protection
Create a new
attachment filter:
Click Add
In the Extension
field, type *.pdf.exe
Click OK
KL 002.11.6: Lab 5.
Kaspersky Endpoint Security and Management How to configure Mail Threat Protection
You have configured Mail Threat Protection not to rename .exe files.
If the network is being attacked through email by a new virus that has not yet been added to either signature
database or KSN, configure Mail Threat Protection to rename or delete all executable attachments.
KL 002.11.6: Lab 6.
Kaspersky Endpoint Security and Management How to test Web Threat Protection
Scenario. Kaspersky Endpoint Security can scan https traffic under the default settings. It replaces the
certificate for this purpose, which sometimes may affect banking or other software that uses its own certificate.
To avoid interaction issues, Kaspersky Endpoint Security permits excluding encrypted traffic from scanning.
Make sure that Web Threat Protection scans https traffic under the default settings
Turn off encrypted traffic scanning for the PowerShell application
Make sure that Web Threat Protection allows the trusted application PowerShell to download the
test virus over https
Run PowerShell, try to download the eicar_com.zip file and check how Kaspersky Endpoint Security will react.
Press WIN+R
Type powershell
Click OK
KL 002.11.6: Lab 6.
Kaspersky Endpoint Security and Management How to test Web Threat Protection
4. Download the eicar_com.zip file via PowerShell over https. Carry out the following command:
Invoke-WebRequest –uri “https://secure.eicar.org/eicar_com.zip” -
OutFile “C:\temp\eicar_com.zip”
Make sure that Kaspersky Endpoint Security has blocked the download. Do not close the PowerShell
window
Add PowerShell to the list of trusted applications, try to download the eicar_com.zip file and check how
Kaspersky Endpoint Security will react.
Open Kaspersky
Security Center Web
Console
On the side menu,
select Devices |
Polices & Profiles
Open the policy of
Kaspersky Endpoint
Security for Windows
KL 002.11.6: Lab 6.
Kaspersky Endpoint Security and Management How to test Web Threat Protection
Switch to the
Application settings
tab
Go to the General
settings section
Open Exclusions
To add a trusted
application, click the link
Trusted applications
in the lower-left part of
the page
Click Add
Download the eicar_com.zip file from the www.eicar.org website through the PowerShell application once again.
Make sure that Web Threat Protection will not block the test virus if it is downloaded via a trusted application.
21. Download eicar_com.zip over the https secure protocol one more time. Carry out the following command:
Invoke-WebRequest –uri https://secure.eicar.org/eicar_com.zip -
OutFile “C:\temp\eicar_com.zip”
KL 002.11.6: Lab 7.
Kaspersky Endpoint Security and Management How to test protection of network folders against ransomware
This lab demonstrates how to add an application to the trust list and prevent scanning its encrypted traffic.
The option Do not scan network traffic configured for trusted programs applies to the Mail Threat Protection, Web
Threat Protection and Web Control components, and does not influence the Firewall or Network Threat Protection.
Scenario. Of all threats, you are most concerned about ransomware that encrypts data in shared folders. If
Kaspersky Endpoint Security fails to detect a new malware version one day, the company will lose much
money. You want to use the Behavior Detection protection component to counter ransomware.
Disable other protection components that can block the test file earlier than Behavior Detection. Find the
ransomware2.bat script on the desktop of the Alex-Desktop computer and run it. It imitates ransomware:
Encrypts files in shared network folders and deletes the originals.
Make sure that Kaspersky Endpoint Security has restored the file invoice.txt, and Alex cannot modify files in
the network shared folder anymore.
KL 002.11.6: Lab 7.
Kaspersky Endpoint Security and Management How to test protection of network folders against ransomware
The KSC, DC, Alex-Desktop and Tom-Laptop machines must be powered on.
Open Kaspersky
Security Center
Web Console
On the side menu,
select Devices |
Polices & Profiles
Open the policy of
Kaspersky
Endpoint Security
for Windows
Switch to
the Application
Settings tab
In the Advanced
Threat Protection
section, click Host
Intrusion
Prevention
KL 002.11.6: Lab 7.
Kaspersky Endpoint Security and Management How to test protection of network folders against ransomware
In the Essential
Threat Protection
section, click
Firewall
Disable Firewall
Click OK
KL 002.11.6: Lab 7.
Kaspersky Endpoint Security and Management How to test protection of network folders against ransomware
Find the ransomware2.bat file on the desktop. It imitates actions of file encrypting ransomware
Run the
ransomware2.bat file
Open the
invoice.txt.aes file
in Notepad
Make sure that the
invoice.txt.aes file is
encrypted
Close Notepad
In some cases, the original invoice.txt file remains intact because Behavior Detection blocks remote connection as
soon as it detects the encryption attempt, which may happen before the script deletes the original file.
Consult the report of the Behavior Detection protection component on Tom-Laptop. Note the actions that
the protection component performed.
KL 002.11.6: Lab 7.
Kaspersky Endpoint Security and Management How to test protection of network folders against ransomware
In some cases, Behavior Detection may consider operations performed by design engineering applications as crypto
ransomware activities. To prevent false positives, we recommend that you add such computers to trusted.
KL 002.11.6: Lab 7.
Kaspersky Endpoint Security and Management How to test protection of network folders against ransomware
Select the Administration Server and edit the Kaspersky Endpoint Security policy. Add the IP address of the Alex-
Desktop computer to the list of exclusions of the Behavior Detection component.
Open Kaspersky
Security Center Web
Console
On the side menu,
select Devices |
Polices & Profiles
Open the policy of
Kaspersky Endpoint
Security for Windows
Switch to the
Application settings
tab
In the Advanced
Threat Protection
section, click
Behavior detection
Reconfigure protection
of shared folders
against external
encryption: Switch the
action from Block
connection to Notify
To create an
exclusion, click Add
KL 002.11.6: Lab 7.
Kaspersky Endpoint Security and Management How to test protection of network folders against ransomware
Create an exclusion.
Type the IP address of
the Alex-Desktop
workstation
(10.28.0.100)
Click OK twice
Save the changes to the policy
In this lab, we demonstrated that Kaspersky Endpoint Security can detect malicious ransomware activity with
the default settings. The Behavior Detection component takes care of that.
If necessary, the administrator can always specify exclusions for the protection component and allow
specific network devices to encrypt files in shared folders.
KL 002.11.6: Lab 8.
Kaspersky Endpoint Security and Management How to test protection against fileless threats
Scenario.Recently, a new threat vector has become popular, which uses PowerShell, a powerful operating system
administration and management tool. Criminals can run their code in the address space of a PowerShell process.
A fileless attack is hard to detect since malicious code is executed in the memory, unlike an ordinary virus that
stores its files on the local drive. Typically, attacks via PowerShell are performed after the machine has been
compromised using other malicious actions, usually, exploitation of software vulnerabilities.
Contents. In this lab, we will disable KSN and test how anti-malware scan interface (AMSI) detects fileless threats.
The KSC, DC, Alex-Desktop and Tom-Laptop machines must be powered on.
Press WIN+R
Type powershell
Click OK
Run the test PowerShell script. Carry out the following command:
.\bsstest_amsi.ps1
You’ve made sure that even if some of the protection components are disabled, Kaspersky Endpoint Security
can efficiently interact with the script interpreters built into Microsoft Windows operating systems to detect and
block malicious code.
Scenario. Criminals can exploit vulnerabilities much easier than one would imagine. With such a powerful tool
as Metasploit Framework, a criminal can create an exploit and send it to unsuspecting company employees.
KL 002.11.6: Lab 9.
Kaspersky Endpoint Security and Management How to check health of Exploit Prevention
On the Kali computer, run the Metasploit Framework penetration testing utility. Attack HTA (HTML Application).
The KSC, DC, Kali, Alex-Desktop and Tom-Laptop machines must be powered on.
Start the Metasploit Framework console. Carry out the following command:
msfconsole
Display the list of applications vulnerable to this exploit. Carry out the following command:
show targets
KL 002.11.6: Lab 9.
Kaspersky Endpoint Security and Management How to check health of Exploit Prevention
Specify the address of the listening server (address of the Kali computer). Carry out the following command:
set LHOST 10.28.0.50
Copy the http://10.28.0.50:8080/*******.hta link to the clipboard (select Copy Link on the shortcut menu)
Open a new terminal instance
In the terminal, type
mailsend
Specify the following parameters:
— SMTP server address/IP = 10.28.0.10
— From = tom@abc.lab
— To = alex@abc.lab
— Subject = Report
Press ENTER
Paste the link from step 11: http://10.28.0.50:8080/*******.hta
Press ENTER
Type one dot “.”
Press ENTER
KL 002.11.6: Lab 9.
Kaspersky Endpoint Security and Management How to check health of Exploit Prevention
In this task, you will disable some of the Kaspersky Endpoint Security protection components.
The KSC, DC, Alex-Desktop and Tom-Laptop machines must be powered on.
Open Kaspersky
Security Center
Web Console
On the side menu,
select Devices |
Polices & Profiles
Open the policy of
Kaspersky
Endpoint Security
for Windows
Switch to the
Application
settings tab
Disable the following
protection
components:
— KSN
— Behavior
Detection
KL 002.11.6: Lab 9.
Kaspersky Endpoint Security and Management How to check health of Exploit Prevention
Switch to Security
Controls section
Disable the following
protection
components:
— Application
Control
— Adaptive
Anomaly Control
Go to the Essential
Threat Protection
section
Disable the following
protection
components:
— File Threat
Protection
— Web Threat
Protection
— Mail Threat
Protection
— AMSI Protection
Click Save to save
the policy
Click Yes to confirm
Wait for the policy to
be applied
In this lab, we made sure that the multitier defense system of Kaspersky Endpoint Security repels advanced
threats even when the main protection components are disabled.
KL 002.11.6: Lab 10.
Kaspersky Endpoint Security and Management Improve workstations’ protection against ransomware
Scenario. Of all threats, you are most concerned about crypto ransomware. If Kaspersky Endpoint Security fails
to detect a new malware version one day, the company will lose much money. To decrease the risk, configure
Host Intrusion Prevention to prohibit all programs except for trusted from editing documents on the computers.
Contents. In this lab, we will:
Simulate a ransomware infection
Prohibit all programs except for trusted from editing and deleting documents
Configure Host Intrusion Prevention events to be stored on the Administration Server
Simulate encrypting a document and check the result
Find the ransomware.bat script on the desktop of the Tom-Laptop computer and run it. It is designed to
encrypt text documents and delete the original files.
The KSC, DC, Alex-Desktop and Tom-Laptop machines must be powered on.
Open the Host Intrusion Prevention settings in the Kaspersky Endpoint Security policy. Find the list of
protected resources. Create a Documents category. Add files with the *.txt extension to it. Prohibit all programs
except for trusted from editing, deleting and creating files of this category.
Open Kaspersky
Security Center Web
Console
On the side menu,
select Devices |
Polices & Profiles
Open the policy of
Kaspersky
Endpoint Security
for Windows
Switch to the
Application
settings tab
In the Advanced
Threat Protection
section, click Host
Intrusion
Prevention
KL 002.11.6: Lab 10.
Kaspersky Endpoint Security and Management Improve workstations’ protection against ransomware
To create a new
category, in the left
pane, click Add
Select Category of
protected
resources
Type Protected files
for the category
name
Click the link
Operating system
Add a subcategory: In
the left pane, click
Add
Select Category of
protected
resources
Type Documents
for the name
Click the Operating
system link
Select the
Protected Files
subcategory
Click OK twice
Select the
Documents
subcategory
Click OK twice
To select the category Personal Data | Protected files, click on an empty space within the Protected files
row
To prohibit
applications that
have Low and High
Restricted
reputation from
editing files that
belong to this
category, change
the action for Write,
Delete and Create
operations to Block
Configure Host
Intrusion Prevention
to log attempts to
edit documents.
Enable Log events:
Write, Delete and
Create for all the
block actions
Open event settings in the policy. Find information events of Host Intrusion Prevention: Application placed in
restricted group and Application Privilege Control rule triggered. Configure the policy to store these events
on the Administration Server.
Go to the Event
configuration tab and
switch to the Info section
Click Add events
Find the ransomware.bat script on the desktop of the Alex-Desktop computer and run it. It is designed to encrypt
text documents and delete the original files. Make sure that the script cannot delete the text file this time.
Consult the Host Intrusion Prevention events on the Administration Server. Make sure that it was Host
Intrusion Prevention that did not allow the script to delete the text document.
Find the
ransomware.bat and
invoice.txt files on the
desktop
Run the
ransomware.bat file
Make sure that the invoice.txt.aes file has appeared on the desktop, but the invoice.txt file has not been
deleted
Open Kaspersky
Security Center Web
Console
On the side menu,
select Monitoring &
Reporting | Event
Selections
Select Host Intrusion
Prevention Events
Click Reconfigure
sorting and start
to display the event
selection
KL 002.11.6: Lab 11.
Kaspersky Endpoint Security and Management How to test Network Threat Protection
You have configured Host Intrusion Prevention to allow only trusted programs to edit text documents. To
properly protect against ransomware, add more document types to the category: *.doc, *.docx, *.xlsx, etc.
Programs by known vendors (such as Microsoft Office) are trusted, and Host Intrusion Prevention will not restrict
them. Ransomware, even new that has not yet been added to the signature database or KSN, will never get in
the trusted category and will not be able to edit documents.
Scenario. You scan your network periodically with a special security scanner to find out whether the computers
are properly shielded. Kaspersky Endpoint Security blocks attacks on the scanned computers and then blocks any
connections from the attacking computer for an hour. Add the computer from which you perform vulnerability
scanning to the list of exclusions.
To check health of Network Threat Protection, we will use the Metasploit Framework penetration testing utility.
In this task, you will disable the Exploit Prevention protection component because it may react earlier than
Network Threat Protection.
KL 002.11.6: Lab 11.
Kaspersky Endpoint Security and Management How to test Network Threat Protection
The KSC, DC, Kali, Alex-Desktop and Tom-Laptop machines must be powered on.
Open Kaspersky
Security Center Web
Console
On the side menu,
select Devices |
Policies & Profiles
Open the policy of
Kaspersky Endpoint
Security for Windows
Switch to the
Application settings
tab
Disable Exploit
Prevention
On the Kali computer, run the Metasploit Framework penetration testing utility. Carry out an attack that exploits
a vulnerability in the Server Message Block protocol.
Start the Metasploit Framework console. Carry out the following command:
msfconsole
Specify the address of the listening server (address of the Kali computer). Carry out the following command:
set LHOST 10.28.0.50
Specify the address of the victim machine. Carry out the following command:
set RHOSTS 10.28.0.100
The attack fails because Kaspersky Endpoint Security blocks network attacks by default.
KL 002.11.6: Lab 11.
Kaspersky Endpoint Security and Management How to test Network Threat Protection
Find the list of reports in the Administration Console. Create a new template for the Network attack report.
Generate the report, consult the details of the network attack, find the addresses of the attacking and
attacked machines.
Open Kaspersky
Security Center
Web Console
On the side menu,
select Monitoring
& Reporting |
Reports
Click Add
Click Next
KL 002.11.6: Lab 11.
Kaspersky Endpoint Security and Management How to test Network Threat Protection
Select to include
information over
the last 30 days
Click OK
In the message
box, click Save
and run
Switch to the
Details tab
KL 002.11.6: Lab 11.
Kaspersky Endpoint Security and Management How to test Network Threat Protection
Switch to
the Events
section
In the Application
name field, select
Kaspersky
Endpoint
Security
For the Severity
level, select
Critical
Choose Include
selected
general events
KL 002.11.6: Lab 11.
Kaspersky Endpoint Security and Management How to test Network Threat Protection
On the list of
events, find
and select the
Network attack
detected event
Click Save to save
the event selection
In the message
window, select the
checkbox Go to
selection result
and click Save
Open Kaspersky Endpoint Security on the attacked computer. Open the Network Monitor window. Find the list
of blocked computers and unblock the Kali computer.
KL 002.11.6: Lab 11.
Kaspersky Endpoint Security and Management How to test Network Threat Protection
The Network
Monitor window
will open
Switch to the
Blocked
computers section
Unblock the Kali computer: Select address 10.28.0.50 and click Unblock
Close all Kaspersky Endpoint Security windows
KL 002.11.6: Lab 11.
Kaspersky Endpoint Security and Management How to test Network Threat Protection
In the Kaspersky Endpoint Security policy, open the Network Attack Blocker settings. Find the list of
trusted computers and add the IP address of the Kali computer (10.28.0.50) to it.
Open Kaspersky
Security Center Web
Console
On the side menu,
select Devices |
Policies & Profiles
Open the policy of
Kaspersky Endpoint
Security for
Windows
Switch to the
Application settings
tab
Go to the Essential
Threat Protection
section
Click the link
Network Threat
Protection
Click Add
Type the IP address of
the Kali computer,
10.28.0.50, and click
OK
Click OK
Click Save to save
the policy
Wait for the policy to
be applied
Simulate another attack on the computer Alex-Desktop from Kali using Metasploit Framework. Make sure
that Kaspersky Endpoint Security does not react to this attack anymore.
Make sure that you have exploited the vulnerability in SMB protocol
You have configured Network Threat Protection not to react to attacks from the specified IP address. You can
use this method to exclude addresses of network security scanners.
Also, you have created a new report and a new event selection. There are many types of reports in Kaspersky
Security Center. If the pre-configured reports available on the Reports tab are insufficient, have a look at the
complete list of reports that you can create. If none of them yet meets your needs, create a selection of events
that interest you. Configure conditions: event types, time, group of computers, etc.
Scenario. To prevent the users from disabling the protection, prohibit managing Kaspersky Endpoint Security
and Network Agent without a password.
Using the web console’s Dashboard, find information that protection is disabled on some computers. Go to the
selection of computers where protection is off. Open the computer properties, find the Kaspersky Endpoint
Security application and start it.
The KSC, DC, Alex-Desktop and Tom-Laptop machines must be powered on.
Open
Kaspersky
Security
Center Web
Console
On the side
menu, select
Monitoring &
Reporting |
Dashboard
Note that one of the devices has the Critical protection status
Click the Critical link to consult the list of devices that have this status
Switch to the
Applications
tab
Select
Kaspersky
Endpoint
Security and
click Start
Close the
computer
properties
KL 002.11.6: Lab 12.
Kaspersky Endpoint Security and Management How to configure password protection
On the side
menu, select
Monitoring &
Reporting |
Dashboard
Note that the
protection
status has
changed
In the policy of Kaspersky Endpoint Security for workstations, find password protection among the Interface
settings. Enable password protection and apply it to critical operations with Kaspersky Endpoint Security.
On the Tom-Laptop computer, try to exit Kaspersky Endpoint Security. Make sure that you cannot exit the
application without the password. Try to uninstall Kaspersky Endpoint Security through the Windows Control
Panel. Make sure that this operation is also password-protected.
Open Kaspersky
Security Center
Web Console
On the side
menu, select
Devices |
Policies &
Profiles
KL 002.11.6: Lab 12.
Kaspersky Endpoint Security and Management How to configure password protection
Click the
Password
protection
DISABLED
switcher
Enter the
password
Ka5per5Ky
Click OK
Click Add to
specify a user
In the search
box, type alex
Choose the
Alex account
Click Select
Make sure that you need to enter credentials to perform some actions within the program.
Open the Network Agent policy and find the password protection settings there. Enable password protection, type
a password and make these settings required (prohibit users from modifying them).
On the Tom-Laptop computer, try to uninstall the Network Agent. Do not enter the password and make sure
that you cannot uninstall Network Agent without it.
Open Kaspersky
Security Center
Web Console
On the side menu,
select Devices |
Policies & Profiles
Open the policy of
Kaspersky Security
Center Network
Agent
Switch to the
Application
settings tab
In the Settings
section, enable
password protection:
Use uninstallation
password
Enter the password
Ka5per5Ky
Enforce the Use
uninstall password
setting (lock it) and
click Save
Wait for the policy to
be applied
KL 002.11.6: Lab 12.
Kaspersky Endpoint Security and Management How to configure password protection
Switch to Tom-Laptop.
You have enabled password protection for Kaspersky Endpoint Security and Network Agent. Now the users
cannot uninstall Kaspersky applications, exit Kaspersky Endpoint Security or stop protection.
Neither can they stop the service or process of Kaspersky Endpoint Security. Kaspersky Endpoint Security self-
defense prevents this.
To hide the fact that Kaspersky Endpoint Security is installed on the computer from the users, select not to
display KES icon in the notification area. This setting is located in the Interface section of Kaspersky Endpoint
Security policy.
KL 002.11.6: Lab 13.
Kaspersky Endpoint Security and Management How to configure Application Control
Scenario. According to the corporate security policy, Internet Explorer is the only allowed web browser. All
available security updates are downloaded for it on a regular basis, while the updates of other browsers are not.
Considering the fact that malware typically penetrate a network through browsers today, the decision to prohibit
all other browsers was made.
Your task is to enforce the security policy requirements. You need to block all browsers except for Internet
Explorer using Application Control.
Create an application category that includes all browsers except for Internet Explorer 11.0 or later. To add all
browsers, use Kaspersky (KL) categories. To exclude Internet Explorer, use the metadata of the iexplore.exe file.
The KSC, DC, Alex-Desktop and Tom-Laptop machines must be powered on.
Select From KL
category
Click Next
Click OK
Open the Application Control settings in the policy. Enable Application Control and select the Block mode
instead of Notify.
Add a rule that prohibits starting programs of the Browsers category that you created in the previous task.
KL 002.11.6: Lab 13.
Kaspersky Endpoint Security and Management How to configure Application Control
Switch to the
Application
settings tab
Select the
Security
Controls section
Select the
Application
Control
component
Enable
Application
Control
Switch the
component to the
block mode: select
Kaspersky
Endpoint
Security for
Windows blocks
startup of
applications
that are blocked
by Application
Control settings
Add a category to
the denylist. Click
Add
Select the
Browsers
category
Click OK
KL 002.11.6: Lab 13.
Kaspersky Endpoint Security and Management How to configure Application Control
Enable this
category if it has
not been enabled
automatically
Click OK
Save the policy:
Click Save and
Yes
Wait for the policy
to be applied
Make sure that the users are able to launch Internet Explorer but not Mozilla Firefox.
If you need to allow or prohibit a group of programs, Kaspersky categories come in very handy. The categories
are updated when database updates are run, and you can feel confident that the latest versions of popular
browsers are added and applied automatically.
When setting up Application Control, remember: Rules configured to deny access will always have a higher
priority than ones that allow access. For this reason, if you need to prohibit a program category except for a few
applications, you will need to create a rule to block access and add exclusions for the allowed applications, which
was demonstrated in this lab. Any other configuration will not work.
Scenario. Application Control, as well as Host Intrusion Prevention, can help reduce the risk related to new
malware. Let us configure Application Control to block start of all files except for trusted within specific
operating system directories.
KL 002.11.6: Lab 14.
Kaspersky Endpoint Security and Management How to block start of unknown applications in the network
In this task, you will create an application category for crypto ransomware.
The KSC, DC, Alex-Desktop and Tom-Laptop machines must be powered on.
Open Kaspersky
Security Center
Web Console
Go to Operations |
Third-party
applications |
Application
Categories
Click Add to create
a new category
Type Protection
Cryptomalware for
the category name
For the category
creation method,
select Category
with content
added manually
Click Next
KL 002.11.6: Lab 14.
Kaspersky Endpoint Security and Management How to block start of unknown applications in the network
To create a condition,
click Add
Select Specify
path to
application
(masks
supported)
Click Next
Select and copy the first line from the file Conditions_Protection_Cryptomalware.txt
Click Add to
include the other
values
KL 002.11.6: Lab 14.
Kaspersky Endpoint Security and Management How to block start of unknown applications in the network
In a similar manner,
add all other paths
from Conditions_
Protection_
Cryptomalware.txt
Click Next
Specify exclusions.
Click Add
Select From KL
category
Click Next
KL 002.11.6: Lab 14.
Kaspersky Endpoint Security and Management How to block start of unknown applications in the network
Select all KL
categories
Click Next
22. Click OK
KL 002.11.6: Lab 14.
Kaspersky Endpoint Security and Management How to block start of unknown applications in the network
Open the Application Control settings in the policy. Enable Application Control and select the Block mode
instead of Notify.
Add a rule that prohibits starting programs of the Protection_Cryptomalware category that you created in
the previous task.
Switch to
the Application
Settings tab
Select the Security
Controls section
Select the
Application
Control component
KL 002.11.6: Lab 14.
Kaspersky Endpoint Security and Management How to block start of unknown applications in the network
On the list of
categories, select
Protection
Cryptomalware
Click OK
KL 002.11.6: Lab 14.
Kaspersky Endpoint Security and Management How to block start of unknown applications in the network
34. Click OK
35. Click OK
Click OK
Save the policy: Click
Save and Yes
Wait for the policy to
be applied
In this task, you will make sure that Kaspersky Endpoint Security blocks start of unknown files.
KL 002.11.6: Lab 14.
Kaspersky Endpoint Security and Management How to block start of unknown applications in the network
Open Kaspersky
Security Center
Web Console
On the side menu,
select Devices |
Policies & Profiles
Open the policy of
Kaspersky Endpoint
Security for Windows
Switch to the
Application
settings tab
Select the Security
Controls section
Select the Application
Control component
KL 002.11.6: Lab 15.
Kaspersky Endpoint Security and Management How to block USB flash drives
Disable
the Application
Control component
Click OK
Click Save to save the
policy
Wait for the policy to be
applied
This lab demonstrates how the administrators, by properly configuring the product, can block the start of new
and unknown files on the endpoints. By doing so, they will reduce the risk of infection on the protected machines.
Scenario. Incident analysis has revealed that a bunch of computers had become infected through USB flash
drives. The decision was made to eliminate this penetration vector. Your task is to block access to all USB
flash drives using Kaspersky Endpoint Security on all workstations in ABC network.
In this task, we will learn how to configure blocking USB flash drives in the policy.
KL 002.11.6: Lab 15.
Kaspersky Endpoint Security and Management How to block USB flash drives
The KSC, DC, Alex-Desktop and Tom-Laptop machines must be powered on.
Open Kaspersky
Security Center
Web Console
On the side
menu, select
Devices |
Policies &
Profiles
Open the policy
of Kaspersky
Endpoint
Security for
Windows
Switch to the
Application
settings tab
Select the
Security
Controls section
Select the Device
Control
component
Under Access,
select Block
Click OK
In this task, we will try to access the device already connected to the computer.
In this task, we will receive the USB drive access request from the user.
Open
Kaspersky
Security
Center Web
Console
On the side
menu, select
Monitoring &
Reporting |
Event
Selections
Click User
requests
Read the
request
In this lab, we studied how to block access to removable drives. Aside from blocking access completely, you can
also allow access upon request or allow specific devices only. Typically, administrators will use this functionality
to block the spread of malware through removable drives on the network. This feature can also help to prevent
data leakage.
KL 002.11.6: Lab 16.
Kaspersky Endpoint Security and Management How to configure granular permissions for USB flash drives
Scenario. You have prohibited access to USB flash drives throughout the company. However, the measure
turned out to be too aggressive as some users need USB flash drives for work related tasks. The decision to allow
all users to use encrypted USB flash drives has been made at the company.
Now, we will allow the users to read and copy files from USB flash drives; add encrypted USB flash drives
to trusted devices and thus allow domain users to access them without limitations; and also configure
logging operations with these USB flash drives.
Open the Device Control settings in the Kaspersky Endpoint Security policy. Enable the users (Everyone) to
read files from removable drives.
The KSC, DC, Alex-Desktop and Tom-Laptop machines must be powered on.
Click Start,
Computer
Make sure that
the USB flash
drive has been
connected
successfully
KL 002.11.6: Lab 16.
Kaspersky Endpoint Security and Management How to configure granular permissions for USB flash drives
Switch to the
Application
settings tab
Select the
Security
Controls section
Select the Device
Control
component
Open the Device Control settings in the Kaspersky Endpoint Security policy. Make the removable drive trusted
for the Domain users group. Select to log events when users write files to USB flash drives.
Open Kaspersky
Security Center
Web Console
On the side
menu, select
Devices |
Policies &
Profiles
Open the policy
of Kaspersky
Endpoint
Security for
Windows
Switch to the
Application
settings tab
Select the
Security
Controls section
Select the
Device Control
component
KL 002.11.6: Lab 16.
Kaspersky Endpoint Security and Management How to configure granular permissions for USB flash drives
Open the
Logging tab
ENABLE
Logging
Click the Add
button at the
bottom of the
window to
specify a
user group
KL 002.11.6: Lab 16.
Kaspersky Endpoint Security and Management How to configure granular permissions for USB flash drives
Type everyone
and click the
magnifying
glass icon
Choose the
Everyone group
Click Select
Click OK
Make the
removable drive
trusted: click
Add device by
ID
KL 002.11.6: Lab 16.
Kaspersky Endpoint Security and Management How to configure granular permissions for USB flash drives
On the list of
devices, select
Generic
Flash Disk
USB Device
Click Next
Select the
Domain
Users group
Click Next
Click OK
Switch to the
Application
settings tab
Go to the
General
settings section
Click Interface
In the
Notifications
area, click the
Notification
settings link
Select the
Device Control
component
Select to Save
in local report
the File
operation
performed
event and click
OK
Click Save to
save the policy
Wait for the
policy to be
applied
Switch to Tom-Laptop.
54. Copy the invoice.txt file from the desktop to the USB flash drive
KL 002.11.6: Lab 17.
Kaspersky Endpoint Security and Management How to configure web access control
Make sure that Kaspersky Endpoint Security allows you to write files to a trusted device
In this lab, we studied how to control user access rights to USB flash drives along with making exclusions for
specific drive types. There are always users at a company (secretaries, for example) who need to copy data
to/from various USB flash drives whose model and serial number are usually not known in advance.
Others (like administrators, for example) typically have this information readily available. You can configure
exclusions for these drives. The policy provides for flexible adjustments: You can create a list of specific USB
flash drives that are to be accessible and specify users and/or groups who use them.
Scenario. When analyzing the company’s internet traffic, you have found that many users visit cryptocurrency
exchange websites during business hours. Based on this information, you would like to prohibit that by setting up
a policy to specifically block access to the respective content category.
KL 002.11.6: Lab 17.
Kaspersky Endpoint Security and Management How to configure web access control
In this task, we will configure the policy to block access to cryptocurrency exchange websites for all users
during business hours.
The KSC, DC, Alex-Desktop and Tom-Laptop machines must be powered on.
Open Kaspersky
Security Center
Web Console
Go to Devices |
Policies & Profiles
Open the policy of
Kaspersky Endpoint
Security for Windows
Switch to the
Application
settings tab
Select the Security
Controls section
Select the Web
Control component
KL 002.11.6: Lab 17.
Kaspersky Endpoint Security and Management How to configure web access control
7. Click Add
On the Content
Categories list, under
Online stores,
banks, payment
systems, select
Cryptocurrencies,
mining
Click OK
KL 002.11.6: Lab 17.
Kaspersky Endpoint Security and Management How to configure web access control
Select Apply to
individual users and
/ or groups
Click Add
In this task, we will make sure that the rule has been applied and the Cryptocurrencies and mining category
is blocked.
Open Kaspersky
Security Center
Web Console
On the side menu, select
Monitoring &
Reporting | Event
Selections
Click Recent events
In this lab, we studied the functionality that blocks access to web resources. Access can be allowed or blocked by
content category, data type or both. Access can be blocked during a specified time period only and be applied to user
groups or specific users. A typical use example for this functionality is blocking access to social networks, executable
files or external email, through which information may leak, and/or infected objects can be downloaded.
Scenario. Kaspersky Endpoint Security features a component that monitors scripts and macros and detects
system anomalies. You have decided to test health of this protection component. For this purpose, you will use
a Word file with a macro that contains an obfuscated PowerShell script prepared beforehand.
Disable all main protection components. By default, the Adaptive Anomaly Control protection component works in
the statistics mode at first and collects data about started programs and scripts. To test how the component
detects malicious files, switch it to the block mode manually.
The KSC, DC, Alex-Desktop and Tom-Laptop machines must be powered on.
Open Kaspersky
Security Center
Web Console
On the side menu,
select Devices |
Policies & Profiles
Open the policy of
Kaspersky Endpoint
Security for Windows
KL 002.11.6: Lab 18.
Kaspersky Endpoint Security and Management How to configure Adaptive Anomaly Control
Switch to the
Application
settings tab
Select Security
Controls
Open the settings of the
Adaptive Anomaly
Control component
Enable Adaptive
Anomaly Control
Click the Rules link to
configure detection
rules
Send a message with an attachment that contains a malicious script and make sure that the file will be blocked.
Switch to Tom-Laptop.
In this lab, we have studied the Adaptive Anomaly Control component. It can either notify the administrator about
a script run or abnormal program behavior, or block a process, macro or powershell.
Scenario. In your daily routine, you open the Kaspersky Security Center management console to monitor if
protection is in place and check if there are some threats or issues that require your attention. To have a
quick protection status overview, configure the dashboard to summarize the health of your systems.
Contents. In this lab, you will configure the dashboard for daily monitoring.
KL 002.11.6: Lab 19.
Kaspersky Endpoint Security and Management How to configure the dashboard
The KSC, DC, Alex-Desktop and Tom-Laptop machines must be powered on.
To create a new
widget, click Add or
restore web widget
KL 002.11.6: Lab 19.
Kaspersky Endpoint Security and Management How to configure the dashboard
Expand Threat
statistics and select
History of network
attacks
Click Add
Widget’s
representation has
changed
Click OK to confirm
Note that the widgets have
moved to close the gap
You have added the widgets that you need to the dashboard, which shows the most important information
about network protection.
Scenario. To be able to find the necessary information and react to threats quicker, delete the reports that you
do not use, prepare a virus scan task that can be started from computers’ shortcut menus, and configure weekly
reports to be emailed to you.
KL 002.11.6: Lab 20.
Kaspersky Endpoint Security and Management How to configure maintenance tools
The KSC, DC, Alex-Desktop and Tom-Laptop machines must be powered on.
Click
Click Delete
KL 002.11.6: Lab 20.
Kaspersky Endpoint Security and Management How to configure maintenance tools
Confirm that
you want to
delete the
report: Click
OK
KL 002.11.6: Lab 20.
Kaspersky Endpoint Security and Management How to configure maintenance tools
Rename the Report on most heavily infected devices to Monthly report on most heavily infected devices;
then create a weekly report.
Open the
properties of the
Report on most
heavily infected
devices
Rename it to
Monthly report
on most heavily
infected devices
and click Save
Close the report
window
Create a new
report: Click
the Add button
KL 002.11.6: Lab 20.
Kaspersky Endpoint Security and Management How to configure maintenance tools
Select
Administration
group and specify
Managed devices
Click Next
Open Kaspersky
Security Center
Web Console
On the side menu,
select Devices |
Tasks
Create a report
sending task: Click
Add
Select Kaspersky
Security Center 13 on
the list of applications
Select the Deliver
reports task type
Name the task Deliver
reports
Click Next
Click Next
Switch to the
Schedule tab
Set the emailing
interval to Weekly
Select Monday and
9am, then click Save
You have deleted unused reports, and now you will be able to find the necessary ones quicker.
KL 002.11.6: Lab 21.
Kaspersky Endpoint Security and Management How to collect diagnostic information
Scenario. Kaspersky Endpoint Security components will not start on a corporate computer, and you’ve failed to
figure out the reasons of the incident. Collect trace logs of Kaspersky Endpoint Security to be sent to the
technical support. Do it remotely from the Administration Console.
Contents. In this lab, you will remotely collect trace logs from a computer.
Find the Alex-Desktop computer in the console and start the remote diagnostics utility from its shortcut menu.
In the utility window, enable tracing for Kaspersky Endpoint Security, restart Kaspersky Endpoint Security and
download the logs. Additionally, download information about the computer and Windows logs: Kaspersky Event
Log and System.
The KSC, DC, Alex-Desktop and Tom-Laptop machines must be powered on.
Log on to the
abc\Administrator
account with the
password
Ka5per5Ky
Run the MMC
Administration
Console
Go to the Managed
devices node
To find the Alex-
Desktop computer,
run the search utility
from the shortcut
menu of the
Managed devices
node
KL 002.11.6: Lab 21.
Kaspersky Endpoint Security and Management How to collect diagnostic information
Type Alex-Desktop
and click Find now
Enable tracing:
Select Kaspersky
Endpoint Security
for Windows
Click the link Enable
tracing
Restart Kaspersky
Endpoint Security:
click the link
Restart application
Wait for Kaspersky
Endpoint Security to
restart. At the bottom
of the window, the
following message
will appear: Operation
completed
successfully
Click the link Disable
tracing
Expand the
Kaspersky
Endpoint Security
for Windows/Trace
files folder
Select the first file on
the list and click the
link Download entire
file
Download other files
from the Trace files
folder in a similar
manner
KL 002.11.6: Lab 21.
Kaspersky Endpoint Security and Management How to collect diagnostic information
Download information
about the computer:
Select the System
Info node
Click the link
Download
System Info
Open the Event log
folder and save the
Kaspersky Event
Log and System log
in a similar manner
Click the link
Download folder in
the lower-left corner
of the window
You have downloaded Kaspersky Endpoint Security trace logs and system information from the computer.
Attach these logs to your technical support request.
You can also use the diagnostics utility if you need Network Agent logs, or logs of the update module, or
installation logs, or tracing for the Administration Server.
v.1.6.6