Known limitations in Kaspersky Endpoint Security 10 for Windows Workstations SP1
Latest update: October 10, 2019
ID: 11966
There are a number of limitations in Kaspersky Endpoint Security 10 for Windows Workstations Service Pack 1.
1. Full Disk Encryption (FDE) of hard drives and removable drives:
The following limitations are present in Full Disk Encryption (FDE) of hard drives and removable drives:
- Hard drive encryption functionality is not supported under operating systems of the Microsoft Windows Embedded family.
- Once you have installed the application, you must restart the operating system for the hard drive encryption functionality to work properly.
- The authentication agent does not support hieroglyphics and the special symbols "|" and "\".
- When there are processes that attempt to access encrypted drives before the application has granted them access to such devices, the application shows a warning saying that such processes must be terminated. If all such processes cannot be terminated, the encrypted drives have to be reconnected.
- The unique ID's of hard drives are displayed in the device encryption statistics in inverted format.
- It is not recommended to format logical partitions of the hard drive while it is being encrypted.
- In some cases, when connecting several removable devices to a computer simultaneously, the encryption policy applies to one of them only. When reconnecting the rest of the removable devices, the encryption policy applies correctly.
- Encryption may fail to start on a heavily fragmented hard drive. In this case, hard drive defragmentation should be performed.
- During hard drive encryption, hibernation is blocked from the time when the encryption task starts and until the first reboot of a computer under Microsoft Windows XP / 7 / 8 / 8.1 operating systems, and after installation of hard drive encryption – until the first reboot of Microsoft Windows 8 / 8.1 operating systems. During hard drive decryption, hibernation is blocked from the time when the boot hard drive is fully decrypted until the first reboot of the operating system. When the Quick Start option is enabled in the Microsoft Windows 8 / 8.1 operating systems, blocking of hibernation makes it impossible to shut down the operating system.
- It is not recommended to use the xbootmgr.exe tool with additional providers enabled (such as DISPATCHER, NETWORK, DRIVERS, and others).
- After full disk encryption (FDE) functionality for hard drives and removable drives has been installed on a computer running Microsoft Windows XP, the option of quickly switching between operating system users is blocked.
- Full disk encryption of devices with the FAT32 file system is not supported on computers running under Microsoft Windows XP and Microsoft Windows Vista. Use file and folder level encryption (FLE) to encrypt such devices or reformat them to the NTFS file system.
- Formatting of an encrypted removable drive is not supported on a computer with Kaspersky Endpoint Security installed.
- Formatting of an encrypted removable drive with the FAT32 file system is not supported (the device is displayed as encrypted). To be able to format the device, reformat it to the NTFS file system.
- The specifics of restoring the operating system from a backup copy to an encrypted GPT device are described in the product Knowledge Base.
- Coexistence of several download agents on one encrypted computer is not supported.
- It is impossible to access a removable drive that was previously encrypted on a different computer when all of the following conditions are met: there is no connection to the Kaspersky Security Center server; the user attempts authorization using a new token (a newly issued or replacement token) or a new password. If this happens, the computer has to be restarted. After the computer has been restarted, access to the encrypted removable drive will be granted.
- Authentication agent login using tokens and smart cards is not supported if the Legacy ROM support option is enabled in UEFI settings.
- In some cases, discovery of USB devices by the authentication agent is not supported when xHCI mode for USB is enabled in BIOS settings.
- Full-disk encryption of the SSD part of the drive, which is used for caching the most frequently used data, is not supported for SSHD devices.
- Full-disk encryption of 32-bit operating systems Microsoft Windows 8 and Microsoft Windows 8.1 running in UEFI mode is not supported.
- The computer has to be restarted in the following cases after hard drive decryption:
- Before the decrypted hard drive is encrypted again;
- Before full disk encryption functionality is removed or upgraded.
2. Encryption of files and folders (FLE)
The following limitations are present in Encryption of files and folders (FLE):
- File and folder encryption functionality is not supported under operating systems of the Microsoft Windows Embedded family.
- Once you have installed the application, you must restart the operating system for the file and folder encryption functionality to work properly.
- When you use a computer where the encryption functionality is unavailable to access a file stored on a computer where the encryption functionality is available, direct access to the file is granted. When you use a computer where the encryption functionality of Kaspersky Endpoint Security is available to copy an encrypted file from a network folder to a computer with unavailable encryption functionality, such file is copied in non-encrypted format.
- You are advised to decrypt files that were encrypted with Encrypting File System, before encrypting files with Kaspersky Endpoint Security.
- After a file is encrypted, its size increases by 4 KB.
- After a file is encrypted, the "Archive" attribute is set in the file properties.
- When unpacking an encrypted archive, files from this archive overwrite those in the target folder in case any files with identical names are detected. The user is not informed of the overwriting operation.
- Portable File Manager errors are not displayed in the Portable File Manager interface.
- Kaspersky Endpoint Security does not launch Portable File Manager on a computer with file encryption functionality installed.
- When file encryption functionality is used, the application is incompatible with the Sylpheed email client.
- Editing of the swap file settings is not supported: the operating system uses default values instead of user-defined settings.
- Management of the directory structure (creating / renaming) in the distributed file system (DFS) is not supported when file and folder encryption functionality is installed on a computer under Microsoft Windows XP.
- It is not recommended to use file and folder level encryption (FLE) functionality to encrypt the entire system drive on a computer under Microsoft Windows XP, as this can cause the operating system to malfunction. You are advised to use full drive encryption (FDE) functionality to encrypt the system hard drive with the NTFS file system on a computer running under Microsoft Windows XP.
- Safe removal should be used when working with encrypted removable drives. If a removable drive is removed unsafely, data safety on the removable drive is not guaranteed.
- After the files are encrypted, their non-encrypted original copies undergo safe removal.
- Client-Side Caching service (CSC) is not supported. It is recommended to prohibit offline management of shared resources at the level of group policies: offline files are still available for editing; however, changes made to an offline file can be lost after synchronization.
- Creation of an encrypted archive in the root of the system hard drive is not supported.
- In some cases, problems can be experienced when attempting to access encrypted files over the network. If this happens, it is recommended to move files to a different source or make sure that the computer used as a file server is managed by the same Kaspersky Security Center Administration Server.
- In some cases, changing the keyboard layout causes the password entry window for an encrypted self-extracting archive to hang up. To solve this problem, close the password entry window, switch the keyboard layout in your OS, and re-enter the password for the encrypted archive.
3. Licensing
The following limitations are present in Licensing:
- The task of adding keys through Kaspersky Security Center might not work correctly. See the Knowledge Base article on the issue
- If the "Error receiving data" system message is displayed, check if the computer on which you are performing activation has network access, or configure activation via Kaspersky Security Center Activation Proxy.
4. Device Control
The following limitations are present in Device Control:
- In some cases, access to Printer devices added to the list of trusted devices is blocked by device and bus blocking rules.
- In some cases, blocking of devices at the level of connection buses is not supported on computers running under Microsoft Windows 8.1. You are advised to block devices by type.
- Execution of an executable file on a blocked removable drive is not blocked on computers running under Microsoft Windows XP.
5. Web Control
The following limitations are present in Web Control:
- The ogv and webm formats are not supported.
- The RTMP protocol is not supported.
6. Advanced Disinfection
The following limitations are present in Advanced Disinfection:
- Under server operating systems, no warning of required advanced disinfection is displayed.
- In some cases, the application does not start automatically after a restart on computers running under Microsoft Windows XP SP3. In this case, the computer has to be restarted.
7. Limitations during the installation
The following limitations are present during the installation:
- After being installed to an infected computer, the application does not inform the user of required scan of the computer. Problems with the application activation may be experienced. To solve this problem, you should run the critical areas scan after the application installation.
- Aborting the process of upgrading the application to Kaspersky Endpoint Security 10 Service Pack 1 for Windows may lead to inoperability of the upgraded version of the application.
- When upgrading Kaspersky Anti-Virus 6.0 for Windows Workstations MP4 to Kaspersky Endpoint Security 10 Service Pack 1 for Windows, automatic installation of the encryption module along with the application is not supported. The encryption module should be installed separately.
- After Kaspersky Endpoint Security 10 Service Pack 1 for Windows has been restored, the encryption module has to be restored separately in order for encryption functionality to work correctly.
- If the user has changed the default folder C:\Program Files (86) to C:\Program Files\ while upgrading Kaspersky Endpoint Security 8 Critical Fix 2 for Windows, Kaspersky Endpoint Security 10 for Windows, or Kaspersky Endpoint Security 10 Maintenance Release 1 for Windows to Kaspersky Endpoint Security 10 Service Pack 1 for Windows, the old version of the application cannot be removed.
- When using non-ASCII symbols (such as Cyrillic letters) in the setup.ini file (e.g., in the "InstallDir" parameter), you are recommended to use notepad.exe and save the file in "Encoding: Unicode", or choose a different saving mode when using UTF-16LE. Other encodings are not supported.
- During remote deployment of the application through Kaspersky Security Center, incompatible software is removed by default. To prevent incompatible software from being removed, first enable and then disable the incompatible software removal attribute in the parameters of the installation package.
- If application settings are password-protected, use the following commands to remove the encryption module:
- For the AES encryption module (256 bits):
msiexec /x {090EAE5F-F428-49D5-9CAF-BEED98A702CA} KLPASSWD=<password> /qn. - For the AES encryption module (56 bits):
msiexec /x {51DAFEE1-44D0-4E1E-8F6B-80F57FEC5AE0} KLPASSWD=<password> /qn.
- For the AES encryption module (256 bits):
8. Other limitations
- If a scan of startup objects detects an infected file and the user has not applied Advanced Disinfection, then restoring the infected file from Quarantine before restarting the computer results in a permanent deletion of the file after the restart.
- In some cases, web addresses added to the list of trusted web addresses can be processed incorrectly.
- In some cases, application events are displayed incorrectly in Kaspersky Security Center reports.
- Recovery of objects moved to Quarantine by Mail Anti-Virus is not supported.
- System Watcher: full information about processes is not displayed.
- The application cannot be modified remotely when the application settings are password-protected.