Kaspersky Endpoint Security 8 for Windows and Kaspersky Security Center Reviewer s Guide Contents Introduction / Solution Headlines... 3 Getting Started... 4 Deployment... 4 Installation on an Infected Operating System... 4 Kaspersky Security Network... 4 Activation... 5 Interface Overview... 6 Centralized Management... 6 Highlights of Features - Kaspersky Security Center... 8 Endpoint Control... 8 Application Management / Application Control... 8 Device Control... 11 Web Control... 12 Manageability, Scalability and Virtualization Support... 12 Dashboard, Reports... 12 PAGE 1 Kaspersky Endpoint Security 8 for Windows and Kaspersky Security Center 06 October 2011
Web-Console... 13 Scalability... 13 Internal Hierarchy Using Multiple Administration Servers... 13 VMware Virtual Machine Management... 13 Enhanced Protection... 13 Signature-Based Protection... 14 File Anti-Virus... 14 Mail Anti-Virus... 14 IM Anti-Virus... 15 Proactive Protection... 16 Protection from Network Attacks... 16 Bundles and Availability... 18 1. Kaspersky Open Space Security Bundles... 18 2. File Server Bundles... 18 System Requirements... 18 PAGE 2 Reviewer s Guide
Introduction / Solution Headlines Many small and medium-sized businesses struggle with limited resources. These companies realize that implementing and managing the security policies and infrastructure required to maintain adequate security and support increased mobility and consumerization, while taking advantage of virtualization and cloud-based business optimization, all create significant challenges in terms of resources. To deal with these challenges, firms need solutions that deliver comprehensive protection technologies that can be managed and controlled efficiently. Read more about corporate threats in the second issue of SecureView magazine: http://www.secureviewmag.com/downloads/article_pdf/secureview_4.zip Kaspersky Lab has enhanced its endpoint protection solution with the introduction of Kaspersky Endpoint Security 8 for Windows installations managed by Kaspersky Security Center. The new solution delivers comprehensive security to protect distributed physical and virtual environments. The product is equipped with cutting-edge technologies that work intelligently all together to provide comprehensive security and combat evolving security threats. Kaspersky Lab s tightly-integrated solution provides agile and efficient protection solutions against contemporary security threats. Kaspersky Lab empowers businesses worldwide with a solution that minimizes system impact, leverages deep anti-malware protection, and delivers a powerful set of tools to ensure security and control over an array of applications, devices and web content. Kaspersky Lab s management interface simplifies deployment and is optimized for complex IT environments that need to be serviced with limited staff resources. Read more in the Kaspersky Lab Global IT Security Risks corporate survey: http://www.kaspersky.com/images/kaspersky_global_it_security_risks_survey-10-98699.pdf Key Enhancements and Customer Benefits: Deep endpoint protection. Enhanced anti-malware protection delivered through the latest anti-virus engine and sophisticated proactive technologies that include program activity monitoring and rollback of malicious activity. Support for cloud-based security ensures prompt reactions to new and unknown threats. Comprehensive endpoint control. Better IT security for businesses via flexible Application Startup Control, Device Control and Web Control features, which allow the IT department to regain control over endpoints and increase staff productivity. Application control and whitelisting. Easy deployment of security policy for software with pre-defined or custom rules, cloud-assisted and administrative categorization, and software vulnerability monitoring. Enhanced protection from malicious code with file reputations, automatic access rules, and monitoring of application activity. Integration with the cloud. Kaspersky Endpoint Security 8 for Windows introduces support for the cloud-based Kaspersky Security Network, which provides prompt and reliable reputation data about malicious and legitimate programs and web pages to allow organizations react quickly against emerging threats and leverage flexible whitelisting functionality. Manageability, scalability and virtualization support. Kaspersky Security Center provides a centralized security management system with actionable reports on all aspects of IT security. The new management solution is fully scalable and supports virtualization technologies within the Kaspersky Security Center administration structure. PAGE 3 Reviewer s Guide
Getting Started Deployment Kaspersky Endpoint Security 8 for Windows and Kaspersky Security Center both support multiple deployment methods. We recommend that you first install the management console, and then follow the Remote Installation Wizard (select Managed computers, then on the Remote Installation Wizard click Start installation ) to install Kaspersky Endpoint Security, and select the computers you would like to test as clients. Kaspersky Endpoint Security may be installed on a client that has another security product installed and/or has been infected. The Kaspersky Security Center remote installer has Rip and Replace capability; that is, the Remote Installation Wizard can remove incompatible applications from the client computer. During this process the administrator has the option to click on Configure automatic removal and select Uninstall incompatible applications automatically. Administrators who require more flexibility and control may choose to install just the network agent. For the complete list of deployment options, please consult the User Guide Installation on an Infected Operating System Sometimes a computer can be so badly infected that installing an antivirus solution is impossible, e.g., when infected by certain types of rootkits. In such cases the product gives you the option of downloading a dedicated utility that scans the computer and neutralizes any threats first. Kaspersky Security Network As part of the installation process, the user is invited to participate in the Kaspersky Security Network (KSN). KSN automatically collects and forwards to Kaspersky Lab information about attempts to infect connected computers (in strict anonymity and only with the user's consent). This information is analyzed by Kaspersky Lab and added to the
online malware database. KSN is the vehicle that allows Kaspersky Lab to provide the very highest level and speed of threat detection. Kaspersky Security Network incorporates the latest and most dynamic cloud-based technologies, providing the highest level of protection against cyber-threats. It leverages constantly updated reputation databases that record information about files and hosts worldwide far sooner than ordinary antivirus database updates. KSN s Urgent Detection System (UDS) reacts to new threats almost immediately, with a response time measured in seconds. KSN provides users with information about categories of applications stored in Kaspersky Lab s reputation databases. This allows organizations to flexibly manage application launch policies and prevent the launch of potentially dangerous or unwanted applications. In addition, categorization makes it possible to work in Default Deny mode. In this mode all software is blocked, and exceptions are made only for programs or program categories that have been added to a whitelist by the systems administrator. By participating in the Kaspersky Security Network users voluntarily help Kaspersky Lab gather information about the types and sources of new threats, develop ways to neutralize them, and reduce the number of false positives. In addition, participation in KSN allows you to access data on the reputations of programs and websites. Kaspersky Lab does not collect, process or store personal data via KSN. For more information on what particular types of data pass to Kaspersky Lab through KSN, please refer to the KSN agreement. Participating in KSN is entirely voluntary. Administrators may opt out on behalf of their organizations at any time. (For more information, please refer to the KSN section of this document). During installation, administrators accept or decline participation in KSN with a Kaspersky Security Network Data Collection Statement. If a user chooses not to participate in KSN, the cloud-assisted functions are disabled. For reviewing purposes, we recommend you accept in the statement and enable KSN. Activation In order for you to review the full range of features of Kaspersky Endpoint Security 8 for Windows and Kaspersky Security Center, we recommend that you activate the applications. Please contact Kaspersky Lab s PR team to obtain a review license and the associated key files. You can enter the key files by: 1) Adding a license by using the Quick Start Wizard; then 2) Adding this license to the Repositories\Licenses of the master Administration Server.
Interface Overview The new Kaspersky Security Center provides clear, actionable information through its console interface. Upon installation of the Security Center, administrators can readily access information and begin managing their security landscape. Centralized Management The Kaspersky Security Center enables centralized management of Kaspersky Lab s security applications, allowing administrators to set security policies including those relating to security scanning, updates, application management (application start-up control and Application Privilege Control), vulnerability scanning, device control, mobile policies and reporting. In the tree view in the left-hand column, under Managed computers administrators can access information and controls to set up managed computer groups, policies and tasks, as well as access managed computers. Under the Policy tab users can review the default protection policies and access most of the endpoint control features.
Using Policies and settings, Kaspersky Security Center sets centralized policies to configure and control the settings of endpoint security applications residing on client computers. From the Kaspersky Endpoint Security 8 Protection and control tab, end users can clearly see that their endpoint security adheres to admin-created policies.
Highlights of Features - Kaspersky Security Center Endpoint Control The latest versions of Kaspersky Endpoint Security and Kaspersky Security Center have been supplemented with Endpoint Control, which includes Application Management Device Control and Web Control. These controls are designed to provide administrators with additional control and to enhance the security position of client computers. Application Management/Application Control The Kaspersky Security Center provides Application Management tools for software administrators. These tools let administrators take a snapshot of current endpoint applications so they can construct and enforce an appropriate application control policy for their organizations. Centralized application policies for endpoints include: Application Startup Control, Application Privilege Control and Vulnerability Scanning. Software Inventory The Software Inventory function allows the IT/security department to get a clear picture of software usage in order to analyze the organization s current software status and build effective and appropriate usage policies. To take stock of network-wide applications, the Security Center uses the application registry and executable files. To minimize unnecessary burdens on administrators, Kaspersky Security Center only scans only for applications run at least once on the client computers.
Application Category/Reputation Administrators can create categories based on any of 80 predefined categories, including, for example, Golden Image, which contains information on files that are critical for the functioning of the operating system and are automatically updated. In addition, administrators may choose to create customized categories based on: File name and version; Application name and version; Vendor (publisher); MD5 hash; or Defined folders. Application Startup Control With centralized Application Startup Control, administrators have the ability to establish policies and to control (grant/block/audit) the launch of applications on managed client workstations. Flexible management rules can be defined by user group or application category. This allows companies to monitor application usage and enforce the policy on prohibited applications. Application Privilege Control Application Privilege Control creates a second line of defense after Application Startup Control. Even when an application is allowed to run on a managed workstation, Kaspersky Endpoint Security continues to monitor programs, activities and behaviors. To increase security levels, Application Privilege Control limits access to critical
system and network resources and protects user data from high-risk applications after initial Application Startup Control. This provides effective protection against new malware without limiting legitimate applications processes. Kaspersky Lab s Application Privilege Control utilizes intelligence gathered from local security information using heuristic analysis combined with HIPS and community-based global security and file reputation services from Kaspersky Security Network (KSN). Using this intelligence, applications are assigned to four different groups: Trusted, Low Restricted, High Restricted and Untrusted. Kaspersky Lab firmly believes that security products should work right out of the box; therefore, the default setting has been proven to achieve immediate protection that is both effective and flexible. Of course, administrators may modify the settings to adhere to the specific IT security policies of their organization. Kaspersky Security Center s dynamic reputation checking function continuously monitors all applications even trusted ones both locally and in the cloud, and reclassifies them quickly to reflect any change in reputation. KSN maintains its own application reputation database and whitelist (of trusted applications) in its collaboration with partners and Kaspersky Lab s own malware research labs for even higher levels of protection. Rapid updates of the whitelist allow organizations to quickly identify a trusted application gone rogue and to dramatically reduce both false negatives and false positives. For more details on Kaspersky Lab s cloud-based reputation database and whitelist, please read the Whitelisting Whitepaper, which is included in your press pack. Vulnerability Monitor The Vulnerability Monitor provides information on the operating system and installed application vulnerabilities before they can be exploited. Kaspersky Endpoint Security operates two types of vulnerability scan: on-demand and on-access. The results are stored in vulnerability reports. To help IT security professionals prioritize and prevent zero-day attacks, Kaspersky Lab keeps a list of the most potentially harmful vulnerabilities. The list, which includes the threats identified as the most currently exploited in the wild, is also supplemented with licensed information from Secunia and Microsoft Windows Update Agent. A centralized vulnerability report provides clear, actionable information, including critical levels of vulnerabilities, potential risks, and live links, so that IT security professionals can pinpoint vulnerable endpoints and quickly prioritize remediation actions.
Device Control Kaspersky Security Center provides centralized control of devices by bus, device type or serial number. Administrators can apply granular control and enforce appropriate usage policies for high-risk devices to prevent the transfer of potentially malicious files via a device and reduce the risk of data leakage. For example, IT administrators can block USB-network adapters or execution of files from USB storage devices. As another example, administrators can set up a Default Deny Device control policy. They can use the hardware inventory function to take stock and examine which devices are currently being used in the company, and then set up whitelists of allowed devices based on buses, device types or serial numbers. All device policy changes take effect in real time without needing to reboot any systems.
Web Control The host-based Web Control allows administrators to block malicious URLs and unwanted web content. Content filtering technology shields users from unwanted web content through website mirrors. Kaspersky Security Center allows administrators to granularly control settings and modify them based upon different user groups or schedule considerations (for example, to allow personal web browsing at lunchtime). Some companies use separate secure web gateway solutions for web filtering. However, these solutions work only while a user is connected to the corporate network. Once employees are outside the corporate network, or disconnected from the firm s Virtual Private Network (VPN), the control policies are no longer effective. Kaspersky Lab s solution works everywhere, maintaining employees performance at the highest possible level and protecting them around the globe. Manageability, Scalability and Virtualization Support Dashboard, Reports For most administrators, ongoing maintenance and the ability to react quickly to IT security events/issues are critical. The new version of Kaspersky Security Center comes with an enhanced vulnerability reporting function and dashboard to allow administrators to handle these critical tasks easily. As they begin their day, administrators can take a quick glance at the state of endpoint security, and have access to direct links that provide additional information, recommendations and step-by-step action routes to resolve issues. For example, the dashboard shows real-time data with a list of the clients that do not have an Enhanced Parallel Port (EPP) agent. The vulnerability reports provide a clear indication of critical susceptibilities of endpoints currently being used in the wild.
Kaspersky Security Center provides 15 standard reports, as well as the option of creating custom reports, and lets administrators automate and schedule their delivery. In addition, critical events automatically trigger and send an alert to administrators. Web Console To provide added accessibility to critical security information, the newest version of Kaspersky Security Center adds a Web Console. This web application allows IT administrators to monitor protection status, perform basic management of Kaspersky Lab s Endpoint Security applications on corporate networks, and generate reports from any computer. Scalability Internal Hierarchy Using Multiple Administration Servers In addition to linking multiple administration servers to create an internal hierarchy, the new version of Kaspersky Security Center allows administrators to create a virtual administration server from the main server - by right mouse-clicking on the management console. This creates a management hierarchy under a master administration server (host). Companies with multiple units, subsidiaries and branch offices may choose to use the virtual administration server to manage Kaspersky Lab s security applications. (Administrators of a branch office using a virtual administration server may not have the right to access another branch office managed under a different server). VMware Virtual Machine Management The new versions of Kaspersky Endpoint Security and Kaspersky Security Center are built to be VM-aware and to optimize both security and performance in a virtualized environment. Kaspersky Security Center enables centralized management for both virtual and physical clients. The Administrator Server has the ability to differentiate between physical and virtual machines under its management structure and to apply the correct lifecycle maintenance for non-persistent virtual machines, including detection, automatic creation, deployment and removal of appropriate security applications. Kaspersky Security Center also manages and ensures performance optimization. For example, Kaspersky Security Center prevents resource intensive operations from occurring simultaneously on multiple virtual machines running on the same host. Enhanced Protection The new version of Kaspersky Endpoint Security tightly combines protection technologies (signature-based, proactive and cloud-assisted) that work intelligently together to provide the deepest level of protection. To increase yet further the level of protection, heuristic analysis is used to detect new threats for which there are currently no records in the signature databases.
Signature-Based Protection Kaspersky Endpoint Security 8 comes with improved real-time anti-malware protection achieved by checking files, email/mail protocols, web traffic and IM communications. To combat polymorphic malware, this new version uses pattern-based signatures to effectively detect malicious files and reduce the signature database size. The new Qscan technology works at the deepest levels of the operating system to effectively disinfect and neutralize any detected malicious objects. File Anti-Virus File Anti-Virus prevents infection of the computer's file system. By default, File Anti-Virus launches with the operating system, and remains permanently in the computer's RAM; it scans all files that are opened, saved or run on the computer or on any drive attached to it for the presence of viruses and other threats. To protect the computer's file systems, File Anti-Virus applies one of three file security levels: High, Recommended, and Low. The application can be configured to automatically pause at specified times or when handling specific programs. Upon detecting a threat, File Anti-Virus can prompt the user to choose an action (such as disinfecting, deleting if disinfection fails, or blocking an infected object). Mail Anti-Virus Mail Anti-Virus, which loads with the operating system and runs continuously, scans all incoming and outgoing email messages received or sent via the POP3, SMTP, IMAP, MAPI or NNTP protocols for viruses and other threats. For Microsoft Office Outlook and The Bat! mail programs, extension modules or plug-ins allow the mail scanning settings to be fine tuned.
Like File Anti-Virus, to protect emails, Mail Anti-Virus applies various mail security levels: High, Recommended, and Low. Upon detecting a threat, Mail Anti-Virus can prompt the user to disinfect, delete if disinfection fails, or block an infected object, depending on the policy settings. Malicious applications can be distributed in the form of email attachments. Administrators may also limit the maximum size of email attachments to be scanned and the maximum scanning duration for archives attached to email messages. Web Anti-Virus Web Anti-Virus protects incoming and outgoing data sent to and from a computer using the HTTP and FTP protocols. This capability also checks URLs against a list of suspicious or phishing web addresses to avoid problems as users download free software or browse compromised websites. Like File and Mail Anti-virus, to protect data received and dispatched via the HTTP and FTP protocols, Web Anti- Virus applies web traffic security levels: High, Recommended, and Low. If web traffic analysis shows up malicious code, Web Anti-Virus can select an action automatically, and block or allow downloads depending on the policy settings. Web Anti-Virus scans links against phishing and suspicious URL databases to combat phishing attacks. Since links to phishing websites can be received not only in emails, but also from other sources such as instant messages, Web Anti-Virus monitors attempts to access, and blocks, phishing websites at the level of web traffic. IM Anti-Virus IM Anti-Virus scans the traffic of instant messaging clients. Incoming or outgoing IM messages can contain: URLs exposing a computer to malicious programs; and/or URLs to malicious programs and/or websites used by intruders in phishing attacks. Phishing attacks attempt to steal personal user data such as credit card numbers, passport details and passwords for online payment and banking systems and other online services (e.g., social networking sites or email accounts).
Proactive Protection About 70,000 new malicious programs appear every day; detecting all this malware using only traditional signaturebased methods is simply impossible. Today proactive protection is critical since it provides the ability to analyze a program and block threats if suspicious behavior is detected. The new System Watcher technology implemented in Kaspersky Endpoint Security 8 for Windows monitors program activity in the system and analyzes it for updatable patterns to identify destructive programs. If a program is deemed malicious, the system blocks activity or quarantines the program. If activity by a malicious program is detected, System Watcher rolls back all the actions carried out by the program in the system. The rollback of malicious activity may be performed automatically, depending on policy settings. Protection from Network Attacks Firewall When connected to a local area network and/or the Internet, a computer is exposed to viruses and other malware as well as a variety of potential attacks that exploit vulnerabilities in the operating system and software. The firewall protects personal data stored on users computers, blocking all kinds of threats to the system while the computer is connected to the Internet and/or a local area network. The firewall detects all network connections and provides a list of all the IP addresses, indicating the status of the default network connection. The Firewall component filters all network activity according to specified network rules, which allow or block actions when a network connection is attempted. Configuring network rules allows administrators to specify the desired level of computer protection, from blocking Internet access for all applications to allowing unlimited access. The Firewall provides protection against network attacks of different kinds at two different levels: network and application levels. Protection at the network level is provided by applying network packet rules. Protection at the application level is provided by applying rules according to which installed applications can access network resources. Based on the two levels of firewall protection, the administrator can create:
Network packet rules that impose restrictions on network packets regardless of the application. Such rules restrict inbound and outbound network traffic through specific ports of the selected data protocol. Application network rules that impose restrictions on the network activity of a specific application. They factor in not only the network packet characteristics, but also the specific application to which this network packet is addressed, or which issued the network packet. Such rules make it possible to fine tune network activity. By default, the Firewall component applies the network rules for an application group when filtering the network activity of all applications within the group. Network Attack Blocker Network Attack Blocker scans all inbound traffic for activity typical of network attacks. Upon detecting an attempted network attack targeting a computer, Kaspersky Endpoint Security 8 for Windows blocks the network activity originating from the attacking computer. Network Traffic Scanner During the operation of Kaspersky Endpoint Security 8 for Windows, the components Mail Anti-Virus, Web Anti-Virus and IM Anti-Virus monitor data streams transmitted via specific protocols and which pass through the open TCP and UDP ports of the computer. Kaspersky Endpoint Security 8 for Windows divides the TCP and UDP ports of the operating system into several groups depending on the likelihood of their being compromised. Network ports reserved for services which are most likely vulnerable have to be monitored more thoroughly. If non-standard services relying on non-standard network ports are used, these network ports may also be targeted by the attacking computer. The administrator can specify a list of network ports and a list of applications requesting network access for special monitoring by Mail Anti-Virus, Web Anti-Virus and IM Anti-Virus components as they monitor network traffic.
Bundles and Availability Kaspersky Endpoint Security 8 and Kaspersky Security Center will be available in October 2011, as part of Kaspersky Lab s product bundles: 1. Kaspersky Open Space Security Bundles Kaspersky Work Space Security o Kaspersky Endpoint Security 8 for Smartphone o Kaspersky Endpoint Security 8 for Mac o Kaspersky Endpoint Security 8 for Linux o Kaspersky Endpoint Security 8 for Windows o Kaspersky Security Center Kaspersky Business Space Security o All those listed above for Work Space Security, plus o Kaspersky Anti-Virus 8.0 for Linux File Server o Kaspersky Anti-Virus 8.0 for Windows Servers Enterprise Edition Kaspersky Enterprise Space Security and Kaspersky Total Space Security As these two suites include all endpoint products, all listed above. 2. File Server Bundles Kaspersky Security for File Server o Kaspersky Endpoint Security 8 for Windows (the application activates only on file servers) o Kaspersky Anti-Virus 8.0 for Linux File Server o Kaspersky Anti-Virus 8.0 for Windows Servers Enterprise Edition o Kaspersky Security Center Kaspersky Anti-Virus for File Server (For EEMEA and Latin America) o Kaspersky Endpoint Security 8 for Windows (the application activates only on file servers) o Kaspersky Anti-Virus 8.0 for Linux File Server o Kaspersky Security Center System Requirements Kaspersky Endpoint Security 8 for Windows is compatible with 32 and 64-bit Windows operating systems, starting from Windows XP Professional. Hardware requirements are generally minimal and depend on the version of Windows in use. For Windows XP, a 1 GHz processor, 256 MB RAM, and 1 GB of disk space are required. For detailed system requirements for Kaspersky Endpoint Security 8 for Windows and Kaspersky Security Center please refer to the product documentation.