Installation and uninstallation settings and command line options for the Windows Installer service

This section contains descriptions of the settings for installing and uninstalling Kaspersky Embedded Systems Security, their default values, keys for changing the installation settings, and their possible values. These keys can be used in conjunction with standard keys for the Windows Installer service's msiexec command when installing Kaspersky Embedded Systems Security from the command line.

Installation settings and command line options in Windows Installer

• Acceptance of the terms of the End User License Agreement: you must accept the terms to install Kaspersky Embedded Systems Security.

  The possible values for EULA=<value> command line option are as follows:

  • 0 – you reject the terms of the End User License Agreement (default value).
  • 1 – you accept the terms of the End User License Agreement.
• Acceptance of the terms of the Privacy Policy: you must accept the terms to install Kaspersky Embedded Systems Security.

  The possible values for PRIVACYPOLICY=<value> command line option are as follows:

  • 0 – you reject the terms of the Privacy Policy (default value).
  • 1 – you accept the terms of the Privacy Policy.
• Allow installation of Kaspersky Embedded Systems Security if the KB4528760 update not installed. For detailed information about the KB4528760 update please visit Microsoft website.

  The possible values for SKIPCVEWINDOWS10=<value> command line option are as follows:

  • 0 – cancel the installation of Kaspersky Embedded Systems Security if the KB4528760 update is not installed (default value).
  • 1 – allow the installation of Kaspersky Embedded Systems Security if the KB4528760 update is not installed.

  The KB4528760 update fixes the CVE-2020-0601 security vulnerability. For detailed information about the CVE-2020-0601 security vulnerability please visit the Microsoft website.

• Installation of Kaspersky Embedded Systems Security with restored defined settings from the previous version during update.

  The possible values for RESTOREDEFSETTINGS=<value> command line option are as follows:

  • 0 – all data from the previous version is transferred to a new version during update (default value).
  • 1 – only the file with activation data and private keys is transferred to a new version during update ([drive]:\ProgramData\Kaspersky Lab\<product>\<version>\Data\product.dat). All other data from the previous version, such as settings, anti-virus databases, reports, quarantine and backup objects, is removed.
• Installation of Kaspersky Embedded Systems Security with reports preserved from the previous versions during update.

  The possible values for KEEP_REPORTS=<value> command line option are as follows:

  • 0 – all data from the previous version is transferred to a new version during update, except for reports ([drive]:\ProgramData\Kaspersky Lab\<product>\<version>\Reports). Reports are removed.
  • 1 – all data from the previous version, such as settings, anti-virus databases, reports, quarantine and backup objects, is transferred to a new version during update (default value).
• Installation of Kaspersky Embedded Systems Security with a preliminary scan of active processes and the boot sectors of local disks.

  The possible values for PRESCAN=<value> command line option are as follows:

  • 0 – do not perform a preliminary scan of active processes and the boot sectors of local disks during the installation (default value).
  • 1 – perform a preliminary scan of active processes and the boot sectors of local disks during the installation.
• Destination folder where Kaspersky Embedded Systems Security files will be saved during installation. A different folder can be specified.

  The default values for INSTALLDIR=<full path to the folder> command line option are as follows:

  • Kaspersky Embedded Systems Security: %ProgramFiles%\Kaspersky Lab\Kaspersky Embedded Systems Security
  • Administration tools: %ProgramFiles%\Kaspersky Lab\Kaspersky Embedded Systems Security Admins Tools
  • On the x64-bit version of Microsoft Windows: %ProgramFiles(x86)%
• The Real-Time File Protection task starts immediately after Kaspersky Embedded Systems Security starts. Turn on this setting to start Real-Time File Protection when Kaspersky Embedded Systems Security starts (recommended).

  The possible values for RUNRTP=<value> command line option are as follows:

  • 1 – start (default value).
  • 0 – do not start.
• Objects excluded from the protection scope according to Microsoft Corporation recommendations. In the Real-Time File Protection task exclude from the protection scope objects on the device that Microsoft Corporation recommends to exclude. Some applications on the protected device may become unstable when an anti-virus application intercepts or modifies the files they use. For example, Microsoft Corporation includes some domain controller applications in the list of such objects.

  The possible values for ADDMSEXCLUSION=<value> command line option are as follows:

  • 1 – exclude (default value).
  • 0 – do not exclude.
• Objects excluded from the protection scope according to Kaspersky recommendations. In the Real-Time File Protection task exclude from the protection scope objects on the device that Kaspersky recommends to exclude.

  The possible values for ADDKLEXCLUSION=<value> command line option are as follows:

  • 1 – exclude (default value).
  • 0 – do not exclude.
• Allow remote connection to the Application Console. By default, remote connection is not allowed to the Application Console installed on the protected device. During the installation, you can allow connection. Kaspersky Embedded Systems Security creates allowing rules for the process kavfsgt.exe using the TCP protocol for all ports.

  The possible values for ALLOWREMOTECON=<value> command line option are as follows:

  • 1 – allow.
  • 0 – deny (default value).
• Path to the key file (LICENSEKEYPATH

  )

  . By default, the Windows Installer attempts to find the file with .key extension in the \product folder of the distribution kit. If the \product folder contains several key files, the Windows Installer will select the key file that has the farthest expiration date. A key file can be saved beforehand in the \product folder or by specifying another path to the key file using the Add key setting. You can add a key after Kaspersky Embedded Systems Security is installed using an administrative tool of your choice: for example, the Application Console. If you do not add a key during installation of the application, Kaspersky Embedded Systems Security will not function.
• Path to the configuration file. Kaspersky Embedded Systems Security imports settings from the specified configuration file created in the application. Kaspersky Embedded Systems Security does not import passwords from the configuration file, for example, account passwords for starting tasks, or passwords for connecting to a proxy server. Once the settings are imported, you will have to enter all passwords manually. If the configuration file is not specified, the application will start to work with the default settings after setup.

  The default value for CONFIGPATH=<configuration file name> is not specified.

• Mode of the Scan at Operation System startup task (SCANSTARTUP_BLOCKING). If you install Kaspersky Embedded Systems Security in the install mode without the SCANSTARTUP_BLOCKING key, the Scan at Operation System startup task has the following parameters assigned to the Scan scope setting:
  • Action to perform on infected and other objects: Notify only
  • Action to perform on probably infected objects: Notify only

  If you install Kaspersky Embedded Systems Security in the install mode using the SCANSTARTUP_BLOCKING key, the Scan at Operation System startup task has the following parameters assigned to the Scan scope setting:

  • Action to perform on infected and other objects: Perform recommended action
  • Action to perform on probably infected objects: Perform recommended action

  The Scan at Operation System startup task is created automatically. By default, the Notify only mode is applied. In this case, after you deploy Kaspersky Embedded Systems Security on the devices, you can enable the Scan at Operation System startup task if no issues with system services were discovered during scan. If the application detects critical system services as infected or probably infected objects, the Notify only mode gives you time to figure out the reason and solve the issue. If the application applies the Perform recommended action mode, which calls the Disinfect. Remove if disinfection fails action, disinfection or removal of the system files may result in critical issues with the operating system startup.

• Enabling network connections for the Application Console option is used to install Kaspersky Embedded Systems Security Console on another device. You can remotely manage device protection from another device with the Kaspersky Embedded Systems Security Console installed. Port 135 (TCP) is opened in Microsoft Windows Firewall, network connections are allowed for the executable file kavfsrcn.exe for remote management of Kaspersky Embedded Systems Security, and access is granted to DCOM applications. When installation is complete, add users to the ESS Administrators group to let them remotely manage the application, and allow network connections to the Kaspersky Security Management Service (kavfsgt.exe file) on the protected device. You can read more about additional configuration when the Kaspersky Embedded Systems Security Console is installed on another device.

  The possible values for ADDWFEXCLUSION=<value> command line option are as follows:

  • 1 – allow.
  • 0 – deny (default value).
• Disabling the check for incompatible software. Use this setting to enable or disable the check for incompatible software during background installation of the application on the protected device. Regardless of the value of this setting, during installation of Kaspersky Embedded Systems Security, the application always warns about other versions of the application installed on the protected device.

  The possible values for SKIPINCOMPATIBLESW=<value> command line option are as follows:

  • 0 – The check for incompatible software is performed (default value).
  • 1 – The check for incompatible software is not performed.

Uninstallation settings and command line options in Windows Installer

• Restoring quarantined objects.

  The possible values for RESTOREQTN=<value> command line option are as follows:

  • 0 – Remove quarantined content (default value).
  • 1 – Restore quarantined content to the folder specified by the RESTOREPATH parameter into the \Quarantine subfolder.
• Restoring the content of backup.

  The possible values for RESTOREBCK=<value> command line option are as follows:

  • 0 – Remove backup content (default value).
  • 1 – Restore backup contents to the folder specified by the RESTOREPATH parameter into the \Backup subfolder.
• Enter the current password to confirm the uninstallation (if password protection is enabled).

  The default value for UNLOCK_PASSWORD=<specified password> is not specified.

• Folder for restored objects. Restored objects will be saved to the specified folder.

  The default value for RESTOREPATH=<full path to the folder> command line option is %ALLUSERSPROFILE%\Application Data\Kaspersky Lab\Kaspersky Embedded Systems Security\3.2\Restored