Kaspersky Embedded Systems Security 2.2 release notes
Kaspersky Embedded Systems Security 2.2 was released on November 20, 2018. Full version number is 184.108.40.2065.
Kaspersky Embedded Systems Security protects a variety of embedded systems under Microsoft Windows OS, including ATM (automated teller machines) and POS (points of sale), against viruses and other computer threats.
Kaspersky Embedded Systems Security protects devices with limited RAM (256 MB or more) and limited hard disk space (100 MB or more).
- Support for new versions of Microsoft Windows operating systems.
- Self-defense mechanisms based on ELAM and PPL technologies: now when the application is installed, it automatically registers an ELAM driver that makes it possible to start the Kaspersky Security service (kavfs.exe) with the Protected Process Light attribute. This makes it possible to bolster the application's self-defense and prevent a broad range of attacks. The functionality is available when the application is installed on computers running Microsoft Windows Server 2016 and higher.
- Support for checking and processing cloud files stored in Microsoft OneDrive.
- Improved capabilities of the installation package control subsystem. Now you can indicate which installation files can pass the trusted installation package attribute for the entire chain of files extracted from them. This makes it possible to increase the stability of the software installation processes on a server with enabled Applications Launch Control, but it also increases the scope for a potential attack by increasing the number of authorized application launches. We recommend using the parameter during complex software deployments, including when the server must be restarted during the software distribution process.
- Integration with WMI tools. Now when the application is installed, a Kaspersky Security namespace is automatically created in the WMI root namespace on the local computer. You can use client solutions that support WMI queries to obtain data about the application and its components.
- The format for displaying information about the application and its components has been expanded with the KAVSHELL OMSINFO command. Now you can get information about the status of the Applications Launch Control task as well as information about installed critical updates of application modules.
- Improved capabilities for managing and monitoring application state using the Compact Diagnostic Interface.
- Now you can review the statistics counters for installed components on the Statistics tab of the Compact Diagnostic Interface.
- The password is not required upon accessing the Compact Diagnostic Interface, even if the password-protection feature is on: the application limits access to the information and control elements that are available in the Compact Diagnostic Interface basing only on the specified user permissions for the application management.
- The feature of basic protection during the operating system startup has been added. By default, the application does not work in the environment of the Safe Mode. For application to start automatically when the computer is booted in the Safe Mode, open the Windows Registry key: HKLM\SYSTEM\CurrentControlSet\services\klam\Parameters and change the value of the LoadInSafeMode parameter to 1. The application functions with limitations in the Safe Mode environment.
- Kaspersky Security Center reports about the applications blocked at startup and the status of Kaspersky Embedded Systems Security. Components have been improved.
- Now you can view the statistics on the applications that were blocked at startup according to the Application Launch Control task, in the combined report of Kaspersky Security Center.
- Now you can view the information about the status of the installed components for each managed computer in the Kaspersky Security Center console. The feature is available if you are using Kaspersky Security Center 11.
- Users’ permissions for changing the installation folder and editing critical registry branches of the application components have been restricted.
On-demand scan, real-time file protection and memory protection
- Upon connection, anti-virus scanning of MTP devices is unavailable.
- Scanning of archive objects is not available without scanning SFX archives. When archive scanning mode in the Kaspersky Security for Windows Server security settings, the application automatically scans both objects in archives as well as objects in SFX archives. It is still possible to scan SFX archives without scanning all other archives.
- The Exploit Prevention component does not protect applications installed through the Microsoft Store on Windows Server 8 and Windows Server 8.1.
- Exploit prevention functionality is not available if the apphelp.dll library is absent in the current environment configuration.
- The Exploit Protection component is incompatible with the EMET application (Microsoft solution) if used on computers running Windows 10.
Computer control and diagnostics
- The Device Control task scope includes MTP-connected storage devices if a protected computer works under OS Microsoft Windows 7 or higher. Kaspersky Embedded Systems Security controls MTP-connected storage devices on a protected computer running Microsoft Windows XP, if the driver sets the GUID class for external devices to the same value as the standard Windows driver GUID value.
- The Log Inspection task does not detect Windows Event Log event ID602 on computers running Windows XP.
- The Log Inspection task detects entire Windows Event Log clearing only on computers running Windows Vista or higher.
- The Log Inspection task detects potential Kerberos (MS14-068) attack patterns only on computers running Windows Server 2008 and higher in the role of a domain controller with installed updates.
- When the Firewall rule scope consists of one IP-address only, the IPv6 format support is unavailable.
- On the Firewall Management task launch the following rules types are automatically erased from the Windows Firewall rules list:
- deny rules
- outbound rules
- The application is unable to receive Windows Firewall events for the Firewall Management task log if installed on a computer running Microsoft Windows XP. To record task statistics it is necessary to turn on the processes tracking function in the security settings of the Microsoft Windows local policy.
- Predefined rules for the Firewall Management policy ensure basic interaction between local computers and the Administration Server. To use the full functionality of Kaspersky Security Center, you must manually set rules to allow ports. For more information about port numbers, protocols, and their functions, see this article.
- When requests are made by the Firewall Management task at minute intervals, the application does not control changes to Windows Firewall rules and groups of rules that were added when installing the Firewall Management component. To update the status and presence of such rules, you must restart the Firewall Management task.
- For the proper functioning of the Firewall Management component on computers running a Microsoft Vista operating system or higher, you need to start the Windows Firewall Service (launched by default).
- On Microsoft Windows XP, the SharedAccess service must be started for Windows Firewall to work. By default, the service is suspended and the service is started only with Administrator privileges. If the Firewall Management component is started when the SharedAccess service is suspended, the component state displayed by the application is out of date. Visually, the task is active and running, but Windows Firewall is not started and the network rules are not applied.
Installation and migration to the new version
- During installation of the application, a warning occurs about the path being too long if the full path to the installation folder for Kaspersky Security for Windows Server contains more than 150 characters. The warning does not affect the installation process.
- Installing the SNMP Protocol Support component requires restarting the SNMP service if this service is running.
- Windows Installer 3.1 is required for Kaspersky Embedded Systems Security to install and work properly on a computer running OS Microsoft Windows XP SP2. By default, the component is not included in the OS Microsoft Windows XP SP2 distribution kit. You can download and install Windows Installer 3.1 component manually.
- The Filter Manager component is required for Kaspersky Embedded Systems Security to install and work properly on a computer running embedded operating systems.
- Installation of Kaspersky Embedded Systems Security Administration Tools using Microsoft Active Directory group policies is not supported.
- When installing the application on computers running operating systems that are no longer supported and are unable to receive regular updates, you must check for the following root certificates:
- DigiCert Assured ID Root CA
- The automatic adding of read permissions for NETWORK SERVICE user is not supported when migrating to a new version. By default this permission is assigned in the application management access permissions settings during the installation of Kaspersky Embedded Systems Security version 2.2. To avoid errors in the functioning of the WMI Provider after the update, you need to manually allow reading for the NETWORK SERVICE user in the application settings or apply the updated Kaspersky Security Center policy.
- The operating system addresses an invalid Kaspersky Embedded Systems Security installation directory if the CaseSensitive attribute is used for that directory. The services.exe process detects the Kaspersky Embedded Systems Security installation directory incorrectly and cannot execute services that are critical for the application core functions. Defective behavior recurs on the operating system side and can only be fixed only with the Microsoft Windows updates. To avoid errors, we recommend installing Kaspersky Embedded Systems Security in a directory without the CaseSensitive attribute.
The application cannot be activated using a key from the installation wizard if the key file is located on a disk created using the SUBST command or the specified path to the key file is a network path.
The Kaspersky Embedded Systems Security icon is hidden by default after the installation of critical updates.
- In Kaspersky Embedded Systems Security Console, the filter is case-sensitive for the following nodes: Quarantine, , , .
- The remote connection to the Kaspersky Embedded Systems Security Console is unavailable if the application is installed on a computer that is running Microsoft Windows XP SP2 with default network access configurations and is not connected to a domain. By default, the Guest only mode is applied for an XP SP2 local accounts security model. To activate the option of remote use of Console, manually change the value to Classic in the local policy security settings on a computer with Kaspersky Embedded Systems Security installed.
- When protection and scan scopes are configured using Kaspersky Embedded Systems Security Console, it is possible to use only one mask in each path and only at the end of the path Correct mask examples:
This limitation does not apply to the Trusted Zone component.
Kaspersky Security Center integration.
- Kaspersky Security Center Administration Server checks the application database updates before its distribution on the computer network. The application module updates are not verified by the Administration Server.
- When working with components that transfer dynamic, changing data to Kaspersky Security Center using network lists (such as Quarantine or Backup), make sure that the appropriate check boxes are ticked in the settings for Administration Server interaction.
- The application partially supports CaseSensitive directories. Known scenarios in which CaseSensitive directories are not supported by the application include:
- Exclusions specified in the settings of protection and scan tasks
- Trusted Zone exclusions
- Applications Launch Control rules When processing application launches in the scope of rules applied by the path, the application adjusts path values to the upper register. This broadens the scope of allowing and denying rules for the CaseSensitive-directories. To lower the risks of starting blocked applications due to the expansion of the allowing rules scope, it is recommended to set allowing rules with strict criteria (check sum or digital certificate).
- When using a command line utility, special characters may be displayed if the operating system’s regional settings match the localization of Kaspersky Security for Windows Server.
- When basic authentication is used on a proxy server, authentication errors may occur when the user name or password are set using multi-byte encoding.
- When a file is restored from Quarantine or Backup, the Encrypted value in the file attributes is not restored.
- The mirror server cannot be used if the application connects to syslog-server via the UDP protocol.
- The device type may not be recognized when a USB connection event is generated. In this case only the device’s GUID will be displayed.
- Insufficient rights for managing root WMI namespaces on a computer can lead to errors creating application namespaces. If Kaspersky Security namespace is absent in the root namespace of the computer after the WMI Provider component installation, please, send a request to Kaspersky Lab technical support via Kaspersky Lab CompanyAccount for recommendations on configuring WMI security settings on the computer.
- It is impossible to restore the Kaspersky Security (KAVFS) service after it crashes if the service was not protected with the PPL technology at the moment it was closed. For details, see this article.