Kaspersky Endpoint Security 10 for Windows

Build 10.1.0.867, 1/24/2013

Kaspersky Endpoint Security 10 for Windows (hereinafter also referred to as the application or as Kaspersky Endpoint Security) gives corporate users all-in-one protection against digital threats.

MINIMUM CONFIGURATION

For the application to work properly, the computer must meet the following requirements:

General requirements:

· Intel Pentium 1 GHz or faster

· 1 GB of RAM

· 1 GB free hard drive space

· Microsoft Internet Explorer 7.0 or later

· Microsoft Windows Installer 3.0 or later

· An Internet connection for activating the application and for updating databases and application modules

Operating systems:

· Microsoft Windows 8 Pro x86 / x64.

· Microsoft Windows 8 Enterprise x86 / x64.

· Microsoft Windows 7 Professional x86 / x64 SP1 or later.

· Microsoft Windows 7 Enterprise / Ultimate x86 / x64 SP1 or later.

· Microsoft Windows 7 Professional x86 / x64.

· Microsoft Windows 7 Enterprise / Ultimate x86 / x64.

· Microsoft Windows Vista x86 / x64 SP2 or later.

· Microsoft Windows XP Professional x86 SP3 or later.

· Microsoft Small Business Server 2011 Essentials x64.

· Microsoft Small Business Server 2011 Standard x64.

· Microsoft Windows Server 2012 Foundation x64.

· Microsoft Windows Server 2012 Essentials x64.

· Microsoft Windows Server 2012 Standard x64.

· Microsoft Windows Server 2008 R2 Standard x64 SP1 or later.

· Microsoft Windows Server 2008 R2 Standard x64.

· Microsoft Windows Server 2008 R2 Enterprise x64 SP1 or later.

· Microsoft Windows Server 2008 R2 Enterprise x64.

· Microsoft Windows Server 2008 Standard x86 / x64 SP2 or later.

· Microsoft Windows Server 2008 Enterprise x86 / x64 SP2 or later.

· Microsoft Windows Server 2003 R2 Standard x86 / x64 SP2 or later.

· Microsoft Windows Server 2003 R2 Enterprise x86 SP2 or later.

· Microsoft Windows Server 2003 Standard x86 / x64 SP2.

INSTALLATION

To install the application, run the setup file and follow the instructions of the Setup Wizard.

Important! If you have the previous version of Kaspersky Endpoint Security 10 for Windows (Beta) installed, you must remove it before upgrading, after decrypting encrypted areas and hard drives.

During installation, Kaspersky Endpoint Security 10 for Windows detects and allows you to uninstall applications that may affect the performance of the user's computer (even to complete inoperability) when running at the same time as the product.

You can install the application remotely using Kaspersky Security Center.

Important! The application is compatible with Kaspersky Security Center 10.0 or later.

The application can be installed in silent mode without the user's involvement.

To enable the encryption functionality in Kaspersky Endpoint Security 10 for Windows, you should install the encryption module.

WHAT'S NEW IN KASPERSKY ENDPOINT SECURITY 10 FOR WINDOWS

Data Encryption

Kaspersky Endpoint Security 10 for Windows offers extensive encryption features for data protection. Encryption reduces the risk of data leaks when a laptop or removable drive is lost or stolen, and prevents unauthorized access.

The application offers the following encryption features:

· File level encryption (FLE) for files on local drives and removable drives

· Full disk encryption (FDE) for hard drives and removable drives

File level encryption (FLE) features:

Encrypt files on local computer drives. Create encryption lists of files by extension or group of extensions and encryption lists of folders on local computer drives.
Encrypt files on removable drives. Specify a default encryption rule by which the application applies the same action to all removable drives, or configure encryption rules for files stored on individual removable drives.

The application supports several file encryption modes for removable drives: encryption of all files stored on removable drives or encryption of new files only as they are saved or created on removable drives.

Files on removable drives can also be encrypted in portable mode. It allows access to encrypted files on removable drives that are connected to computers without Kaspersky Endpoint Security installed.

Encrypt files created or modified by specific applications. Create a list of applications to have Kaspersky Endpoint Security encrypt all files that such applications create or modify on both hard drives and removable drives.
Manage rules of application access to encrypted files. Define an encrypted file access rule for any application. It blocks access to encrypted files or allows access to encrypted files as ciphertext only. By default, if no rules of access to encrypted files have been specified, programs are granted direct access to them.
Create encrypted packages for safe data sharing. You can create encrypted packages and protect access to such packages with a password. The contents of an encrypted package can be accessed only by entering the password that protects it. Such packages can be safely transmitted over networks or via removable drives.

Full disk encryption (FDE) features for hard drives and removable drives:

· Encrypt hard drives. Specify the default hard drive encryption rule and create a list of hard drives to be excluded from encryption. After the hard drives have been encrypted, the user must pass authentication by the Authentication Agent before data on the hard drives can be accessed and the operating system loaded.

· Encrypt removable drives. As with file level encryption of removable drives, specify a default encryption rule by which the application applies the same action to all removable drives, or configure encryption rules for individual removable drives.

· Manage user rights to boot an OS on computers with encrypted hard drives. Create user accounts with settings that allow or block user access to data that is stored on encrypted hard drives after users pass authentication by the Authentication Agent.

· Restore encrypted devices. If an encrypted hard drive or removable drive is corrupted, you can restore your device's data using a special Restore Utility.

Different application modes depending on license type

Kaspersky Endpoint Security 10 for Windows can operate in the following modes depending on the type of license:

· Basic protection (Core). Provides minimum protection with the following functionality: File Anti-Virus, Mail Anti-Virus, Web Anti-Virus, IM Anti-Virus, network protection, Vulnerability Scan, Vulnerability Monitor, computer scan tasks, Advanced Disinfection technology, and System Watcher.

· Standard protection (Select). Provides standard protection that combines basic protection features with the following control components: Application Privilege Control, Application Startup Control, Web Control, and Device Control.

· Advanced protection. Provides maximum protection by combining standard protection functionality with data encryption features.

During application installation, the user is offered to choose the type of installation (basic, standard, full), or perform custom installation.

If the active license covers more components than are currently installed, the application prompts the user to install the missing components.

When the user activates a license that downgrades the current level of protection, the components that are not covered by this license behave in the same way as they do when the active license expires or the user chooses not to use a license.

Feature updates were implemented for components of Application Startup Control, Device Control, and Web Control.

LIMITATIONS AND KNOWN ISSUES

· File level encryption (FLE) features:

o Once you have installed the application, you must restart the operating system for the file and folder encryption functionality to work properly.

o When you use a computer where the encryption functionality of Kaspersky Endpoint Security is unavailable to access a file stored on a computer where the encryption functionality is available, direct access to the file is granted. When you use a computer where the encryption functionality of Kaspersky Endpoint Security is available to copy an encrypted file from a network folder to a computer with unavailable encryption functionality, such file is copied in non-encrypted format.

o The application cannot encrypt files that were encrypted with EFS if it could not access the files' contents. You are advised to decrypt files that were encrypted with EFS, before encrypting files with Kaspersky Endpoint Security.

o After a file is encrypted, its size increases by 4 KB.

o After a file is encrypted, the "Archive" attribute is set in the file properties.

o In some cases, after the protected local storage of encryption keys is corrupted, no access to encrypted files is granted. To restore access to encrypted files, you should exit the application, delete the protected local storage of encryption keys that is located in the folders with the name .ka$tor in the root directory of each volume, and then start the application. By default, folders with the name .ka$tor have a "Hidden" attribute. If connection with Kaspersky Security Center is established, direct access to encrypted files is granted after the application restart. If connection with Kaspersky Security Center is not established, the application prompts the user to pass the procedure of requesting access to encrypted files.

o When unpacking an encrypted archive, files from this archive overwrite those in the target folder in case any files with identical names are detected. The user is not informed of the overwriting operation.

o Messages on errors that have occurred in the operation of the portable file manager are not displayed.

o In some cases, the operation of the portable file manager may slow down on computers running under Microsoft Windows XP.

o The portable file manager cannot start in case a removable device is connected to a computer where the encryption functionality of Kaspersky Endpoint Security is available, unless the computer is managed by Kaspersky Security Center.

o While applying the file encryption policy to a removable drive, safe removal is not supported.

o In some cases, errors may be displayed in the decryption progress window and in application reports when attempting to decrypt a non-decrypted removable device. Such behavior of the application does not lead to damage of removable media.

o When file encryption functionality is used, the application is incompatible with the Sylpheed email client.

o When files and folders are added to the decryption list, in some cases initial decryption may happen with a delay or only after system reboot. In this case, when access is attempted to files and folders in the decryption list, the application decrypts them.

o Editing of the swap file settings is not supported: the operating system uses default values instead of user-defined settings.

o Creation of symbolic links to network folders is not supported.

· Full disk encryption (FDE) of hard drives and removable drives:

o Authentication Agent supports only the QWERTY keyboard layout.

o After full disk encryption (FDE) functionality for hard drives and removable drives has been installed on a computer running Microsoft Windows XP, the option of quickly switching between operating system users is blocked.

o If, when booting the operating system, any hard drives that have been encrypted on another computer, or encrypted removable devices are connected to the computer, access to drive contents is granted only after application startup. If there are processes that are accessing encrypted devices, the application cannot grant direct access to such devices, so it displays a warning prompting you to terminate all such processes. If you cannot terminate all processes that are accessing encrypted devices, you must reconnect the encrypted devices.

o The unique ID's of hard drives are displayed in the device encryption statistics in inverted format.

o In some cases, formatting a device during encryption may lead to damage of logical partitions.

o In some cases, when connecting several removable devices to a computer simultaneously, the encryption policy applies to one of them only. When reconnecting the rest of the removable devices, the encryption policy applies correctly.

o If all accounts of Authentication Agent are blocked on a computer, logging in to the operating system is blocked on this computer.

o Automatic user login into the operating system is not supported when the operating system goes out of hibernation with Single Sign-On (SSO) technology enabled.

o A computer running Microsoft Windows 8 does not support automatic user login into the operating system if operating system Quick Launch is enabled together with Single Sign-On (SSO) technology.

o A file and folder decryption error is returned at the start of decryption of a removable drive that has been encrypted together with its file system.

o Encryption may fail to start on a heavily fragmented hard drive. In this case, hard drive defragmentation should be performed.

o During hard drive encryption, hybernation is blocked from the moment the encryption task is started until the first computer restart. During hard drive decryption, hybernation is blocked from the moment the boot hard drive is fully decrypted until the first computer restart.

o Using the xbootmgr.exe tool with additional services enabled (for example, DISPATCHER, NETWORK, DRIVERS etc.) may cause the operating system to crash.

o Authentication Agent requires password change for accounts regardless of Kaspersky Security Center policy settings. For more details, please refer to the application page in the Knowledge Base, article ID - 9647.

o System Watcher: full information about processes is not displayed.

o Licensing:

o The available functionality is displayed incorrectly in the "Licensing" window of the application in server-based operating systems.

o The task of adding keys through Kaspersky Security Center might not work correctly. For more details, please refer to the application page in the Knowledge Base, article ID – 9648.

o Advanced Disinfection:

o In some cases, no warning of required advanced disinfection is displayed.

o In some cases, the application does not start automatically after a restart on computers running under Microsoft Windows XP SP3. In this case, computer restart is required.

o In some cases, the list of trusted URLs might not work correctly.

o Recovery of objects moved to Quarantine by Mail Anti-Virus is not supported.

o Installing the application:

o After being installed to an infected computer, the application does not inform the user of required scan of the computer. Problems with the application activation may be experienced. To solve this problem, you should run the critical areas scan after the application installation.

o Aborting the process of upgrading the application to Kaspersky Endpoint Security 10 for Windows may lead to inoperability of the upgraded version of the application.

o In some cases, the application cannot be installed over Kaspersky Internet Security 2013 MP1. You are recommended to remove Kaspersky Internet Security 2013 MP1 and start the installation of Kaspersky Endpoint Security from scratch.

o When upgrading Kaspersky Anti-Virus 6.0 for Windows Workstations MP4 to Kaspersky Endpoint Security 10 for Windows, automatic installation of the encryption module along with the application is not supported. Encryption Module should be installed separately.

o If the Encryption Module has been installed separately after the application installation, the encryption functionality of the application will remain unavailable until you restart the computer.