Kaspersky Endpoint Security 10 for Windows

This article concerns Kaspersky Endpoint Security 10 for Windows Service Pack 1 Maintenance Release 3 (version 10.3.3.275).

Service Pack 1 Maintenance Release 3 does not include any interface or localization changes. After installation, the name of the product remains the same: Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 2. The version of the product and information about installed updates is available in the About window, in the Application version field of the Support window, and in the pop-up.

Full disk encryption (FDE) of hard drives and removable drives

Hard drive encryption is not supported under operating systems of the Microsoft Windows Embedded family.
Full disk encryption is not supported on tablets.
For correct operation of the hard drive encryption feature, system reboot is required after the installation of the product.
The authentication agent does not support hieroglyphics and the special symbols "|" and "\".
When there are processes that attempt to access encrypted drives before the application has granted them access to such devices, the application shows a warning saying that such processes must be terminated. If all such processes cannot be terminated, the encrypted drives have to be reconnected.
Unique IDs of hard drives are displayed in the device encryption statistics in inverted format.
It is not recommended to format the devices during the process of their encryption.
In some cases, when more than one removable drives are connected to the computer, the encryption policy is applied only to one of the drives. Upon the next attempt of connecting the drives that were not encrypted, the policy works correctly.
Encryption may fail to start on a heavily fragmented hard drive. In this case, hard drive defragmentation should be performed.
During hard drive encryption, hibernation is blocked from the time when the encryption task starts and until the first reboot of a computer under Microsoft Windows 7 / 8 / 8.1 / 10 operating systems, and after installation of hard drive encryption – until the first reboot of Microsoft Windows 8 / 8.1 / 10 operating systems. During hard drive decryption, hibernation is blocked from the time when the boot hard drive is fully decrypted until the first reboot of the operating system. When the Quick Start option is enabled in the Microsoft Windows 8 / 8.1 / 10 operating systems, blocking of hibernation makes it impossible to shut down the operating system.
It is not recommended to use the xbootmgr.exe tool with additional providers enabled (such as DISPATCHER, NETWORK, DRIVERS, and others).
After full disk encryption (FDE) functionality for hard drives and removable drives has been installed on a computer running on Microsoft Windows XP, the option of quickly switching between operating system users is blocked.
Full disk encryption of devices with the FAT32 file system is not supported on computers running on Microsoft Windows XP and Microsoft Windows Vista. Use file and folder level encryption (FLE) to encrypt such devices or reformat them to the NTFS file system.
Formatting of an encrypted removable drive is not supported on a computer with Kaspersky Endpoint Security installed.
Formatting of an encrypted removable drive with the FAT32 file system is not supported (the device is displayed as encrypted). To be able to format the drive, reformat it to the NTFS file system.
Issues of restoring the operating system from a backup copy to an encrypted GPT device.
Coexistence of several download agents on one encrypted computer is not supported.
It is impossible to access a removable drive that was previously encrypted on a different computer in case of simultaneous existence of the following conditions: there is no connection to the Kaspersky Security Center server; the user attempts authorization using a new token (a newly issued or replacement token) or a new password. If this happens, the computer has to be restarted. After the computer restart, access to the encrypted removable drive will be granted.
In some cases, discovery of USB devices by the authentication agent is not supported when xHCI mode for USB is enabled in BIOS settings.
Full-disk encryption (FDE) of the SSD part of the drive, which is used for caching the most frequently used data, is not supported for SSHD devices.
Full-disk encryption of 32-bit Microsoft Windows 8 / 8.1 / 10 operating systems running in UEFI mode is not supported.
Before the next encryption of the decrypted hard drive, computer restart is required.
Hard drive encryption is incompatible with Kaspersky Anti-Virus for UEFI. It is not recommended to use full disk encryption on computers with Kaspersky Anti-Virus for UEFI installed.
For support of authorization in the authentication agent using tokens and smart cards in UEFI systems, the Legacy ROM option must be enabled.
Creating authentication agent accounts based on MS accounts is supported with the following restrictions: single sign-on technology is not supported; automatic authentication agent account creation is not supported if the option of creating accounts for users who entered the system during last N days has been selected.
The list of devices which support hard drive encryption with limitations.
If the FDE account name is "domain"/"Windows account name", then after changing the computer name you must also update the domain part of the account names created for local users on this computer. For example, the computer name is USER and your local user account name is Username, and the FDE account has been created under the name USER/Username. If the computer name (USER) has been changed (for example, to USER-PC) , then you must change the FDE account name from USER/Username to USER-PC/Username. To change the FDE account name, use the local FDE accounts management task. Until the FDE account name is changed, only the old name can be used for preboot authentication (in the example: USER/Username).
If the user restarts the computer when the message "Your password has been changed. Click OK" is displayed, the new password is not saved. therefore, the old password must be used for the next preboot authentication.
If the user can only allowed to access the host computer encrypted using FDE with a token and has performed the access restoring procedure, make sure that after restoring access to the encrypted host, the user is allowed to access it using the password in the authentication agent. In some cases, the password set when restoring access is not saved. In this case, the user will have to restore access to the encrypted host once again at the next computer restart.

Encryption of files and folders (FLE)

File and folder encryption functionality is not supported under operating systems of the Microsoft Windows Embedded family.
Encryption of files and folders (FLE) is not supported on tablets.
Once you have installed the application, you must restart the operating system for the file and folder encryption functionality to work properly.
When you use a computer where the encryption functionality is unavailable to access a file stored on a computer where the encryption functionality is available, direct access to the file is granted. When you use a computer where the encryption functionality of Kaspersky Endpoint Security is available to copy an encrypted file from a network folder to a computer with unavailable encryption functionality, such file is copied in non-encrypted format.
You are advised to decrypt files that were encrypted with Encrypting File System, before encrypting files with Kaspersky Endpoint Security.
After a file is encrypted, its size increases by 4 KB.
After a file is encrypted, the "Archive" attribute is set in the file properties.
When unpacking an encrypted archive, files from this archive overwrite those in the target folder in case any files with identical names are detected. The user is not informed of the overwriting operation.
Portable File Manager errors are not displayed in the Portable File Manager interface.
Kaspersky Endpoint Security does not launch Portable File Manager on a computer with file encryption functionality installed.
When file encryption functionality is used, the application is incompatible with the Sylpheed email client.
Editing of the swap file settings is not supported: the operating system uses default values instead of user-defined settings.
Management of the directory structure (creating / renaming) in the distributed file system (DFS) is not supported when file and folder encryption functionality is installed on a computer under Microsoft Windows XP.
Using FLE for full disk encryption is not recommended. For encryption of the system drive, use FDE.
Safe removal should be used when working with encrypted removable drives. If a removable drive is removed unsafely, data safety on the removable drive is not guaranteed.
After the files are encrypted, their non-encrypted original copies undergo safe removal.
Synchronization of offline files using Client-Side Caching service (CSC) is not supported. It is recommended to prohibit offline management of shared resources at the level of group policies: offline files are still available for editing; however, changes made to an offline file can be lost after synchronization.
Creation of an encrypted archive in the root of the system hard drive is not supported.
In some cases, problems can be experienced when attempting to access encrypted files over the network. If this happens, it is recommended to move files to a different source or make sure that the computer used as a file server is managed by the same Kaspersky Security Center Administration Server.
In some cases, changing the keyboard layout causes the password entry window for an encrypted self-extracting archive to stop responding. To solve this problem, close the password entry window, switch the keyboard layout in your operating system, and re-enter the password for the encrypted archive.
When using file encryption on systems with several disk partitions, it is recommended that you use the automatic pagefile.sys file size identification option. Otherwise, the file pagefile.sys may be moved to a different partition upon computer restart.
After applying file encryption rules, including the files located in the Documents folder, make sure all users for which the encryption was enabled have access to the files. Each of users can log in with Kaspersky Security Center connected. When the user tries to access the encrypted files with no connection to Kaspersky Security Center, the system may stop responding.
Encryption of files used by the system at the startup is not recommended. Otherwise, when the system tries to access these files without connection to Kaspersky Security Center, the system may stop responding or may show multiple requests on access to the files.

Encryption Module

Licensing

Device Control.

Installing the application

After being installed to an infected computer, the application does not inform the user of required scan of the computer. Problems with the application activation may be experienced. To solve this problem, run the critical areas scan after the application installation.
When non-ASCII characters (such as Russian letters) are used in the setup.ini file (including in the "InstallDir" parameter), it is recommended to use notepad.exe and save the file in "Encoding: Unicode" encoding or otherwise save the setup.ini file in UTF-16LE encoding. Other encodings are not supported.
During remote deployment of the application through Kaspersky Security Center, incompatible software is removed by default. To prevent incompatible software from being removed, first enable and then disable the incompatible software removal attribute in the parameters of the installation package.
If changing of application settings is password-protected, use the following commands to remove the encryption module:
- For the AES encryption module (256 bits): msiexec /x {090EAE5F-F428-49D5-9CAF-BEED98A702CA} KLLOGIN= KLPASSWD= /qn
- For the AES encryption module (56 bits): msiexec /x {51DAFEE1-44D0-4E1E-8F6B-80F57FEC5AE0} KLLOGIN= KLPASSWD= /qn
During the product settings import from the cfg file, the option of participation in Kaspersky Security Network is not applied. After the settings are imported, you must review the Kaspersky Security Network Statement and select whether you agree to participate in Kaspersky Security Network. You can find the text of the Kaspersky Security Network Statement in the product interface or in the file ksn_*.txt in the product installation folder.
If during the update of Kaspersky Endpoint Security 8 Critical Fix 2 for Windows and Kaspersky Endpoint Security 10 Maintenance Release 1 for Windows to Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 3 for Windows the user has changed the default folder C:\Program Files (86) to C:\Program Files\, it will be impossible to delete the old version of the product.
To install the product under Microsoft Windows Server 2003 R2 via RDP, you must disable protection of the installation process (run the installer with the /pSELFPROTECTION=0 key).
When the encryption module (FLE or FDE) or the Device Control component is removed then installed again, computer restart is required before installation.
The password set during reinstallation of Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 3 for Windows is not saved.
To install Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 3 for Windows using Microsoft Windows group policies, use this guide.
To restore Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 3 for Windows through the command line, execute the command: msiexec /I {7A4192A1-84C4-4E90-A31B-B4847CA8E23A} REINSTALL=ALL REINSTALLMODE=amus INSTALLMODE=Repair /l*vx c:\repair.log /qb
To upgrade Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 2 for Windows to Service Pack 1 Maintenance Release 3 from the full installation package through the command line in the silent mode, add the parameter for accepting the terms of the EULA: setup.exe /s /pEULA=1. Setting the parameter EULA=1 through the setup.ini file is unavailable.

Web Control

Advanced Disinfection technology

Firewall

Compatibility with third-party software

Other

If a scan of startup objects detects an infected file and the user has not applied Advanced Disinfection, then restoring the infected file from Quarantine before restarting the computer results in a permanent deletion of the file after the restart.
In some cases, web addresses added to the list of trusted web addresses can be processed incorrectly.
In some cases, application events are displayed incorrectly in Kaspersky Security Center reports.
Recovery of objects moved to Quarantine by Mail Anti-Virus is not supported.
System Watcher: full information about processes is not displayed.
The task that changes the set of application components via Kaspersky Security Center does not work if the application settings are password-protected.
in some cases, at the first startup of the product, a subscribed app may be temporarily moved to an incorrect group. Later the group will be automatically changed to the correct one.
If during scanning of the drive a threat has been detected inside the container which cannot be disinfected by the product, the container will appear in the list of unprocessed files. The object is not moved to the software backup storage from its initial location in the file system. It will be detected at the next scan. The object must be removed manually. At the next scan, the object will be moved from the list of unprocessed files to the list of disinfected objects. The list of the types of containers which can be disinfected by the product, is available in documentation.
Vulnerability scan takes a long time if many updates for Microsoft Windows are not installed on the host.
Antivirus databases are not saved to Kaspersky Security Center repository if the host with Kaspersky Security Center has Kaspersky Endpoint Security 10 for Windows installed with the Application Launch Control enabled. Contact Technical Support to get the fix.
When checking mail with the MS Outlook plugin, we recommend that you use the Cached Exchange Mode (option Use Cached Exchange Mode).

Limitations and known issues in Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 3