KEA to KES Migration Guide for EDR (KATA)

Starting with version 12.1, Kaspersky Endpoint Security for Windows includes a built-in agent for managing the Kaspersky Endpoint Detection and Response component as part of the Kaspersky Anti Targeted Attack Platform solution. You no longer need a separate Kaspersky Endpoint Agent application to work with EDR (KATA). All functions of Kaspersky Endpoint Agent will be performed by Kaspersky Endpoint Security. The load on Kaspersky Anti Targeted Attack Platform servers will remain the same.

When you deploy Kaspersky Endpoint Security on computers that have Kaspersky Endpoint Agent installed, Kaspersky Anti Targeted Attack Platform (EDR) solution will continue working with Kaspersky Endpoint Security. In addition, Kaspersky Endpoint Agent will be removed from the computer. The same behavior in the system will occur when you update Kaspersky Endpoint Security to version 12.1 or higher.

Kaspersky Endpoint Security is not compatible with Kaspersky Endpoint Agent. You cannot install both of these applications on the same computer.

The following conditions must be met for Kaspersky Endpoint Security to work as part of Endpoint Detection and Response (KATA):

• Kaspersky Anti Targeted Attack Platform version 4.1 or higher.
• Kaspersky Security Center version 13.2 or higher (including Network Agent). In earlier versions of Kaspersky Security Center, it is impossible to activate the Endpoint Detection and Response (KATA) feature.

Steps for migrating [KES+KEA] configuration to [KES+built-in agent] for EDR (KATA)

1. Upgrading the Kaspersky Endpoint Security Management Plug-in

   EDR (KATA) component can be managed using the Kaspersky Endpoint Security Management Plug-in version 12.1 or higher. Depending on the type of Kaspersky Security Center console you are using, update the management plug-in in the Administration Console (MMC) or the web plug-in in the Web Console.

2. Migrating policies and tasks

   Transfer Kaspersky Endpoint Agent settings to Kaspersky Endpoint Security for Windows. The following options are available:

   • A wizard for migrating from Kaspersky Endpoint Agent to Kaspersky Endpoint Security. A wizard for migrating from Kaspersky Endpoint Agent to Kaspersky Endpoint Security works only in Web Console

     How to migrate policy and task settings from Kaspersky Endpoint Agent to Kaspersky Endpoint Security in Web Console

     In the main window of the Web Console, select Operations → Migration from Kaspersky Endpoint Agent.

     This runs the policies and tasks migration wizard. Follow the instructions of the Wizard.

     Step 1. Policy migration

     The Migration Wizard creates a new policy which merges the settings of Kaspersky Endpoint Security and Kaspersky Endpoint Agent policies. In the policy list, select Kaspersky Endpoint Agent policies whose settings you want to merge with the Kaspersky Endpoint Security policy. Click the Kaspersky Endpoint Agent policy in order to select the Kaspersky Endpoint Security policy with which you want to merge settings. Make sure you selected the correct policies and go to the next step.

     Step 2. Task migration

     The Migration Wizard does not support EDR (KATA) tasks. Skip this step.

     Step 3. Wizard completion

     Exit the Wizard. As a result of the wizard, a new Kaspersky Endpoint Security policy will be created. The policy merges settings from Kaspersky Endpoint Security and Kaspersky Endpoint Agent. The policy is called <Kaspersky Endpoint Security policy name> & <Kaspersky Endpoint Agent policy name>. The new policy has the Inactive status. To continue, change the statuses of Kaspersky Endpoint Agent and Kaspersky Endpoint Security policies to Inactive and activate the new merged policy.

     The migration wizard in Web Console skips the following policy settings and does not migrate them:

     • Settings modification prohibition Settings for connecting to KATA servers ("lock").

       By default, settings can be modified (the "lock" is open). Therefore the settings are not applied on the computer. You must prohibit the modification of settings and close the "lock".

     • Crypto-container.

       If you are using two-way authentication for connecting to Central Node servers, you must re-add the crypto-container.

     As the Migration Wizard does not migrate these settings, you may encounter errors when connecting the computer to Central Node servers. To fix the errors, you need to go to the policy properties and configure the connection settings.

   • A standard Policies and tasks batch conversion wizard. The Policies and tasks batch conversion wizard is only available in the Administration Console (MMC). For more details about Policies and tasks batch conversion wizard, please refer to the Kaspersky Security Center Help.

   To make sure Kaspersky Endpoint Security works correctly on servers, it is recommended to add files important for the server's functioning to the trusted zone. For SQL servers, you must add MDF and LDF database files. For Microsoft Exchange servers, you must add CHK, EDB, JRS, LOG, and JSL files. You may use masks, for example, C:\Program Files (x86)\Microsoft SQL Server\*.mdf.

   EDR telemetry exclusions do not migrate from the Kaspersky Endpoint Agent policy to the Kaspersky Endpoint Security policy. Kaspersky Endpoint Security has its own exclusion tools - trusted applications. The operation of Kaspersky Endpoint Security is optimized so that the absence of individual EDR telemetry exclusions will not cause any additional load on your computer in comparison with Kaspersky Endpoint Agent. Kaspersky Endpoint Security uses telemetry not only for EDR (KATA), but also for the operation of application protection components. Therefore, there is no need to transfer individual EDR telemetry exclusions. If you experience a decrease in computer performance, check the application's operation (see step 7 Checking performance).

3. Licensing the EDR (KATA) functionality

   To activate Kaspersky Endpoint Security as part of the Kaspersky Anti Targeted Attack Platform solution, you need a separate license for Kaspersky Endpoint Detection and Response (KATA) Add-on. You can add the key using the Add key task. As a result, two keys will be added to the application: Kaspersky Endpoint Security and Kaspersky Endpoint Detection and Response (KATA).

   Licensing Kaspersky Endpoint Detection and Response (KATA) Add-on on computers with previously activated EDR Optimum or EDR Expert features involves the following special considerations:

   • If you are using a key file for licensing Kaspersky Endpoint Security with EDR Optimum or EDR Expert features, you cannot add a separate key for Kaspersky Endpoint Detection and Response (KATA) Add-on. You can either switch to using an activation code for licensing, or contact your service provider to obtain a new key file for activating Kaspersky Endpoint Security and EDR features. The service provider will provide one or more key files for licensing.
   • If you are using a key file for licensing Kaspersky Endpoint Security without EDR Optimum or EDR Expert features, you can add a separate key for Kaspersky Endpoint Detection and Response (KATA) Add-on without having key files reissued.
   • If you are using an activation code for licensing, Kaspersky activation server will automatically reissue the keys, and EDR (KATA) features will become available automatically. In this case, EDR Optimum and EDR Expert will be disabled.
   • Kaspersky Endpoint Security allows you to add up to two active keys: Kaspersky Endpoint Security key and Add-on type key. You can also add up to two reserve keys. One Kaspersky Endpoint Security reserve key and one Add-on type reserve key.
4. Installing / Upgrading the Kaspersky Endpoint Security application

   To migrate EDR (KATA) functionality during an application installation or upgrade, it is recommended to use the remote installation task. When creating a remote installation task, you need to select EDR (KATA) component in the installation package settings.

   You can also upgrade the application using the following methods:

   • Using the Kaspersky update service.
   • Locally, by using the Setup Wizard.

   Kaspersky Endpoint Security supports automatically selecting components when upgrading the application on a computer with the Kaspersky Endpoint Agent application installed. The automatic selection of components depends on the permissions of the user account that is upgrading the application.

   If you are upgrading Kaspersky Endpoint Security using the EXE or MSI file under the system account (SYSTEM), Kaspersky Endpoint Security gains access to current licenses of Kaspersky solutions. Therefore, if the computer has Kaspersky Endpoint Agent installed and EDR (KATA) solution activated, the Kaspersky Endpoint Security installer automatically configures the set of components and selects the EDR (KATA) component. This makes Kaspersky Endpoint Security switch to using the built-in agent and removes Kaspersky Endpoint Agent. Running the MSI installer under the system account (SYSTEM) is usually performed when upgrading via the Kaspersky update service or when deploying an installation package via Kaspersky Security Center.

   If you are upgrading Kaspersky Endpoint Security using an MSI file under a non-privileged user account, Kaspersky Endpoint Security lacks access to current licenses of Kaspersky solutions. In this case, Kaspersky Endpoint Security automatically selects components based on a set of components of Kaspersky Endpoint Agent. After that Kaspersky Endpoint Security switches to using the built-in agent and removes Kaspersky Endpoint Agent.

   Kaspersky Endpoint Security supports upgrading without computer restart. You can select the application upgrade mode in policy properties.

5. Checking the application operation

   If after application installation or upgrade, the computer has the Critical status in the Kaspersky Security Center console:

   • Make sure that the computer has Network Agent version 13.2 or higher installed.
   • Check the operating status of the built-in agent by viewing the Application components status report. If a component has the Not installed status, install the component using the Change application components task. If a component has the Not covered by license status, make sure that you have activated the built-in agent functionality.
   • Make sure you accept the Kaspersky Security Network Statement in the new policy of Kaspersky Endpoint Security for Windows.
6. Checking the connection to Kaspersky Anti Targeted Attack Platform server

   Check the connection to Kaspersky Anti Targeted Attack Platform server. To do so:

   1. Check that you have a valid certificate.
   2. Check the server connection settings.
   3. Check the event log.

      If a connection to the server is established, the application sends the event Successful connection to the Kaspersky Anti Targeted Attack Platform server. If there is no successful connection event and there are no events with connection errors, check the event log settings and enable event sending for Endpoint Detection and Response (KATA).

   The server connection status does not affect the computer status in the Kaspersky Security Center console. Therefore, if there is no connection to the server, the computer can still have the OK status. Check the event log to verify the connection to the server.

7. Checking performance

   If your computer's performance has slowed down after installing or updating an application, you can optimize data transfer. To do so:

   1. Disable the EDR (KATA) component and check that the performance degradation is due to EDR (KATA).
   2. For trusted applications, turn off telemetry collection on console input operations (enabled by default).
   3. Add applications that reduce computer performance to the list of trusted applications.
   4. Contact Kaspersky Technical Support. Support experts will help you to configure telemetry filtering in Kaspersky Anti Targeted Attack Platform. This will reduce the amount of traffic. If your computer performance is affected by a certain application, attach the distribution package of that application to the request.