Known issues and limitations of Kaspersky Endpoint Security 10 SP1 MR2
Latest update: November 21, 2018
ID: 12501
Full disk encryption (FDE) of hard drives and removable drives
- Hard drive encryption is not supported under operating systems of the Microsoft Windows Embedded family.
- Full disk encryption is not supported on tablets.
- For correct operation of the hard drive encryption feature, system reboot is required after the installation of the product.
- The authentication agent does not support hieroglyphics and the special symbols "|" and "\".
- When there are processes that attempt to access encrypted drives before the application has granted them access to such devices, the application shows a warning saying that such processes must be terminated. If all such processes cannot be terminated, the encrypted drives have to be reconnected.
- Unique IDs of hard drives are displayed in the device encryption statistics in inverted format.
- It is not recommended to format the devices during the process of their encryption.
- In some cases, when more than one removable drives are connected to the computer, the encryption policy is applied only to one of the drives. Upon the next attempt of connecting the drives that were not encrypted, the policy works correctly.
- Encryption may fail to start on a heavily fragmented hard drive. In this case, hard drive defragmentation should be performed.
- During hard drive encryption, hibernation is blocked from the time when the encryption task starts and until the first reboot of a computer under Microsoft Windows 7 / 8 / 8.1 / 10 operating systems, and after installation of hard drive encryption – until the first reboot of Microsoft Windows 8 / 8.1 / 10 operating systems. During hard drive decryption, hibernation is blocked from the time when the boot hard drive is fully decrypted until the first reboot of the operating system. When the Quick Start option is enabled in the Microsoft Windows 8 / 8.1 / 10 operating systems, blocking of hibernation makes it impossible to shut down the operating system.
- It is not recommended to use the xbootmgr.exe tool with additional providers enabled (such as DISPATCHER, NETWORK, DRIVERS, and others).
- After full disk encryption (FDE) functionality for hard drives and removable drives has been installed on a computer running on Microsoft Windows XP, the option of quickly switching between operating system users is blocked.
- Full disk encryption of devices with the FAT32 file system is not supported on computers running on Microsoft Windows XP and Microsoft Windows Vista. Use file and folder level encryption (FLE) to encrypt such devices or reformat them to the NTFS file system.
- Formatting of an encrypted removable drive is not supported on a computer with Kaspersky Endpoint Security installed.
- Formatting of an encrypted removable drive with the FAT32 file system is not supported (the device is displayed as encrypted). To be able to format the drive, reformat it to the NTFS file system.
- Issues of restoring the operating system from a backup copy to an encrypted GPT device.
- Coexistence of several download agents on one encrypted computer is not supported.
- It is impossible to access a removable drive that was previously encrypted on a different computer in case of simultaneous existence of the following conditions: there is no connection to the Kaspersky Security Center server; the user attempts authorization using a new token (a newly issued or replacement token) or a new password. If this happens, the computer has to be restarted. After the computer restart, access to the encrypted removable drive will be granted.
- In some cases, discovery of USB devices by the authentication agent is not supported when xHCI mode for USB is enabled in BIOS settings.
- Full-disk encryption (FDE) of the SSD part of the drive, which is used for caching the most frequently used data, is not supported for SSHD devices.
- Full-disk encryption of 32-bit Microsoft Windows 8 / 8.1 / 10 operating systems running in UEFI mode is not supported.
- Before the next encryption of the decrypted hard drive computer restart is required.
- Hard drive encryption is incompatible with Kaspersky Anti-Virus for UEFI. It is not recommended to use full disk encryption on computers with Kaspersky Anti-Virus for UEFI installed.
- For support of authorization in the authentication agent using tokens and smart cards in UEFI systems, the Legacy ROM option must be enabled.
- Creating authentication agent accounts based on MS accounts is supported with the following restrictions: single sign-on technology is not supported; automatic authentication agent account creation is not supported if the option of creating accounts for users who entered the system during last N days has been selected.
-
The list of devices which support hard drive encryption with limitations.
- If the FDE account name is "domain"/"Windows account name", then after changing the computer name you must also update the domain part of the account names created for local users on this computer. For example, the computer name is USER and your local user account name is Username, and the FDE account has been created under the name USER/Username. If the computer name (USER) has been changed (for example, to USER-PC) , then you must change the FDE account name from USER/Username to USER-PC/Username. To change the FDE account name, use the local FDE accounts management task. Until the FDE account name is changed, only the old name can be used for preboot authentication (in the example: USER/Username).
- If the user restarts the computer when the message «Your password has been changed. Click OK» is displayed, the new password is not saved. therefore, the old password must be used for the next preboot authentication.
- After updating Kaspersky Endpoint Security 10 for Windows with full-disk encryption (FDE) installed to the version Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 2 for Windows on the computer under Microsoft Windows XP, you may experience problems with winlogon.exe until the first computer restart. Upon restart, winlogon.exe will work correctly in the normal mode, however you may see the system notification informing that the previous session of winlogon process has been terminated unexpectedly.
- If the user can only access the host computer encrypted using FDE with a token and has performed the access restoring procedure, make sure that after restoring access to the encrypted host, the user is allowed to access it using the password in the authentication agent. In some cases, the password set when restoring access is not saved. In this case, the user will have to restore access to the encrypted host once again at the next computer restart.
Encryption of files and folders (FLE)
- File and folder encryption functionality is not supported under operating systems of the Microsoft Windows Embedded family.
- Encryption of files and folders (FLE) is not supported on tablets.
- Once you have installed the application, you must restart the operating system for the file and folder encryption functionality to work properly.
- When you use a computer where the encryption functionality is unavailable to access a file stored on a computer where the encryption functionality is available, direct access to the file is granted. When you use a computer where the encryption functionality of Kaspersky Endpoint Security is available to copy an encrypted file from a network folder to a computer with unavailable encryption functionality, such file is copied in non-encrypted format.
- You are advised to decrypt files that were encrypted with Encrypting File System, before encrypting files with Kaspersky Endpoint Security.
- After a file is encrypted, its size increases by 4 KB.
- After a file is encrypted, the "Archive" attribute is set in the file properties.
- When unpacking an encrypted archive, files from this archive overwrite those in the target folder in case any files with identical names are detected. The user is not informed of the overwriting operation.
- Portable File Manager errors are not displayed in the Portable File Manager interface.
- Kaspersky Endpoint Security does not launch Portable File Manager on a computer with file encryption functionality installed.
- When file encryption functionality is used, the application is incompatible with the Sylpheed email client.
- Editing of the swap file settings is not supported: the operating system uses default values instead of user-defined settings.
- Management of the directory structure (creating / renaming) in the distributed file system (DFS) is not supported when file and folder encryption functionality is installed on a computer under Microsoft Windows XP.
- It is not recommended to use file and folder level encryption (FLE) functionality to encrypt the entire system drive on a computer under Microsoft Windows XP, as this can cause the operating system to malfunction. You are advised to use full disk encryption (FDE) functionality to encrypt the system hard drive with the NTFS file system on a computer running under Microsoft Windows XP.
- Safe removal should be used when working with encrypted removable drives. If a removable drive is removed unsafely, data safety on the removable drive is not guaranteed.
- After the files are encrypted, their non-encrypted original copies undergo safe removal.
- Synchronization of offline files using Client-Side Caching service (CSC) is not supported. It is recommended to prohibit offline management of shared resources at the level of group policies: offline files are still available for editing; however, changes made to an offline file can be lost after synchronization.
- Creation of an encrypted archive in the root of the system hard drive is not supported.
- In some cases, problems can be experienced when attempting to access encrypted files over the network. If this happens, it is recommended to move files to a different source or make sure that the computer used as a file server is managed by the same Kaspersky Security Center Administration Server.
- In some cases, changing the keyboard layout causes the password entry window for an encrypted self-extracting archive to stop responding. To solve this problem, close the password entry window, switch the keyboard layout in your operating system, and re-enter the password for the encrypted archive.
- When using file encryption on systems with several disk partitions, it is recommended that you use the automatic pagefile.sys file size identification option. Otherwise, the file pagefile.sys may be moved to a different partition upon computer restart.
Encryption Module
- After the installation of the encryption module on the host with the encryption policy applied, the encryption status of the host will be Encryption error. To enable the encryption policy, restart the computer.
Licensing
-
The task of adding keys through Kaspersky Security Center
might not work correctly.
- If the "Error receiving data" system message is displayed, check if the computer on which you are performing activation has network access, or configure activation via Kaspersky Security Center Activation Proxy.
- When the subscription is disabled retrospectively, product's functionality is disabled, the event "License Agreement violated" is written into the logs, and the new license is not activated automatically. For activation of the new license, remove all licenses from the product and distribute the correct license once again.
Device Control
- In some cases, access to Printer devices added to the list of trusted devices is blocked by device and bus blocking rules.
- In some cases, blocking of devices at the level of connection buses is not supported on computers running under Microsoft Windows 8.1. You are advised to block devices by type.
- Execution of an executable file on a blocked removable drive is not blocked on computers running under Microsoft Windows XP.
Installing the application
- After being installed to an infected computer, the application does not inform the user of required scan of the computer. Problems with the application activation may be experienced. To solve this problem, run the critical areas scan after the application installation.
- When non-ASCII characters (such as Russian letters) are used in the setup.ini file (including in the "InstallDir" parameter), it is recommended to use notepad.exe and save the file in "Encoding: Unicode" encoding or otherwise save the setup.ini file in UTF-16LE encoding. Other encodings are not supported.
- During remote deployment of the application through Kaspersky Security Center, incompatible software is removed by default. To prevent incompatible software from being removed, first enable and then disable the incompatible software removal attribute in the parameters of the installation package.
- If application settings are password-protected, use the following commands to remove the encryption module:
- For the AES encryption module (256 bits):
msiexec /x {090EAE5F-F428-49D5-9CAF-BEED98A702CA} KLPASSWD=<password> /qn - For the AES encryption module (56 bits):
msiexec /x {51DAFEE1-44D0-4E1E-8F6B-80F57FEC5AE0} KLPASSWD=<password> /qn
- For the AES encryption module (256 bits):
- During the product settings import from the cfg file, the option of participation in Kaspersky Security Network is not applied. After the settings are imported, you must review the Kaspersky Security Network Statement and select whether you agree to participate in Kaspersky Security Network. You can find the text of the Kaspersky Security Network Statement in the product interface or in the file ksn_*.txt in the product installation folder.
- If during the update of Kaspersky Endpoint Security 8 Critical Fix 2 for Windows, Kaspersky Endpoint Security 10 for Windows, or Kaspersky Endpoint Security 10 Maintenance Release 1 for Windows to Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 2 for Windows the user has changed the default folder C:\Program Files (86) to C:\Program Files\, it will be impossible to delete the old version of the product.
- To install the product under Microsoft Windows Server 2003 R2 via RDP, you must disable protection of the installation process (run the installer with the /pSELFPROTECTION=0 key).
- In some cases, when installing the product to the infected computer under Microsoft Windows 8.1 (the value of the minor build in the full kernel version is more over 18000) or Microsoft Windows 10 Fall Update (TH2), the product won't start after the installation. In such cases, use the KVRT tool to disinfect the system.
- If the installation of the Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 2 patch via the Kaspersky Lab Update Service fails on computers managed by Kaspersky Security Center, update the product via Kaspersky Security Center using remote installation from the full installer or using the remote patch installation package.
To create the remote patch installation packet using Kaspersky Security Center:- Create the installation package using the option Create installation package for specified executable file.
- In the installer selection window, specify the msp file of the patch (kes10sp1mr2_<installer language>.msp file from the full installation package). In the command line entry field, type the following:
msiexec.exe /i {7A4192A1-84C4-4E90-A31B-B4847CA8E23A} PATCH=kes10sp1mr2_<installer anguage>.msp EULA=1 /qn - Finish the creation of the package
- Run the installation task
Advanced Disinfection technology
- Under server operating systems, no warning of required advanced disinfection is displayed.
- In some cases, the application does not start automatically after a restart on computers running under Microsoft Windows XP SP3. In this case, the computer has to be restarted.
Firewall
- Filtering packets / connections by local addresses, physical interface, and TTL is supported in the following cases:
- by local address for outgoing packets / connections in applications rules (for TCP and UDP) and packet rules;
- by local address for incoming packets / connections (except for UDP) in blocking rules of apps and packet rules;
- by packet TTL in blocking packet rules for incoming / outgoing packets;
- by network interface for incoming and outgoing packets / connections in packet rules.
Compatibility with third-party software
- For compatibility with Blue Coat Unified Agent, disable scanning of the ports it uses (for example, 80, 443)
- Citrix Xen Desktop: before cloning of virtual machines which use vDisk, Self-Defense mast be disabled
Other
- If a scan of startup objects detects an infected file and the user has not applied Advanced Disinfection, then restoring the infected file from Quarantine before restarting the computer results in a permanent deletion of the file after the restart.
- In some cases, web addresses added to the list of trusted web addresses can be processed incorrectly.
- In some cases, application events are displayed incorrectly in Kaspersky Security Center reports.
- Recovery of objects moved to Quarantine by Mail Anti-Virus is not supported.
- System Watcher: full information about processes is not displayed.
- The task that changes the set of application components via Kaspersky Security Center does not work if the application settings are password-protected.
- in some cases, at the first startup of the product, a subscribed app may be temporarily moved to an incorrect group. Later the group will be automatically changed to the correct one.
- In some cases, the service process is terminated after the device wakes from the sleep or hybernation mode on Microsoft Surface 3 ® tablets.
- If during scanning of the drive a threat has been detected inside the container which cannot be disinfected by the product, the container will appear in the list of unprocessed files. The object is not moved to the software backup storage from its initial location in the file system. It will be detected at the next scan. The object must be removed manually. At the next scan, the object will be moved from the list of unprocessed files to the list of disinfected objects. The list of the types of containers which can be disinfected by the product, is available in documentation.