Kaspersky Embedded Systems Security 3.0 (22.214.171.124) release notes
Kaspersky Embedded Systems Security 3.0 was released on April 23, 2020. Full version number is 126.96.36.199.
Kaspersky Embedded Systems Security protects a variety of embedded systems under Microsoft Windows OS, including ATM (automated teller machines) and POS (points of sale), against viruses and other computer threats.
Kaspersky Embedded Systems Security protects devices with limited RAM (256 MB or more) and limited hard disk space (100 MB or more).
- We have added:
- Network Threat Protection: a new component that provides analysis of incoming traffic for the signs of network attacks is implemented. If a threat is detected, the Network Threat Protection component blocks the compromised IP address.
- Processing of persistent WMI subscriptions. Now the application detects suspicious WMI subscriptions in the WMI namespace and deletes them. Monitoring of persistent WMI subscriptions is performed as part of the on-demand scan tasks with the "Startup Objects" scan area enabled.
- Anti-virus scan of the tasks created in the System Planner. Monitoring of tasks created by the System Planner is performed as part of the on-demand scan tasks with the "Startup Objects" scan area enabled.
- Administration Web-Plug-in. Now you can manage the application using Kaspersky Security Center Web Console.
- The capability to use the application in the Long Term mode. Now you can activate the application for a long term, during which it will control launches of restricted applications.
- Kaspersky Security Center policy profiles for the Trusted Zone lists. Now you can create policy profiles for the lists of trusted processes and for the Trusted Zone exclusion lists using the Management Plug-in version 3.0.
- Monitoring of on-demand file changes based on cryptography. The application allows generating baseline lists of files and running checks on the compliance of files on the disk with the baseline parameters. The application detects the following mismatches with the baseline: creation of new files in the monitored areas, deletion of files from the monitored areas, changes of the monitored file checksum.
- Generation of Kaspersky Security Center incidents basing on events of blocked application launches and connection of devices in audit mode.
- Blocking changes of the important parameters in the USN (Update Sequence Number) log. The application uses USN log entries to monitor file operations. You can prevent deletion of USN log entries and change the threshold for the maximum USN log size.
- Notification on changes of the important parameters in the USN (Update Sequence Number) log. If you have not prohibited changes to the important parameters in the USN log, the application will report attempts to delete entries from the USN log by publishing the events in application reports.
- The Real-Time Protection task settings now allow you to enable the launch of the Critical Areas Scan task if signs of active infection are detected. If this option is enabled, the application automatically creates and starts a temporary Critical Areas Scan task on the computer where an active infection was detected.
- Information about the checksum of the object being processed in detection events, which are published in Kaspersky Security Center reports, is added.
- The capability is added to configure the triggering criteria for the applications launch control rule when creating rules based on events of blocked launches in the Kaspersky Security Center Console.
- Control of the network cards and modems connection. The Device Control and Automatic Rule Generator for Device Control tasks support creation and application of rules that block connection of untrusted network cards and modems via USB.
- Triggering criteria for custom rules of the Log Analysis component. Now you can set the rules for the value of the "Source" parameter in the Windows Event Log entry.
- Trace log files rotation options.
- The list of supported operating systems.
- Methods of protection against active threats are optimized. Now the application notifies you if the signs of active infection are detected during the Real-Time Protection tasks execution. The application marks the detected objects for deletion and deletes such objects from the computer after reboot.
- The application interface is aligned with the new brand policy of the company.
- Bugs from the previous versions are fixed: the application includes the bug-fixes, issued for the previous versions.
On-demand scan, real-time file protection and memory protection
- Anti-Virus Scan on connection is unavailable for the MTP devices.
- The archive objects scan also scans the SFX archives. When archive scan mode is enabled in the Kaspersky Embedded Systems Security security settings, objects are scanned both in archives and in SFX archives. It is still possible to scan SFX archives without scanning all other archives.
- The exploit prevention functionality is unavailable if a protected computer does not have access to a apphelp.dll library.
- The Exploit Protection component is incompatible with the EMET application (Microsoft solution) if used on computers running Windows 10. Kaspersky Embedded Systems Security blocks EMET functions if the installation or removal of the Exploit Protection component is performed on a computer with the EMET application installed.
- Simultaneous usage of DEP mitigation technique with switched-off system DEP may lead to operation errors of the protected processes and the operating system as a whole.
Computer control and diagnostics
- The Device Control task scope includes MTP-connected storage devices if a protected computer works under OS Microsoft Windows 7 or higher. Kaspersky Embedded Systems Security controls MTP-connected storage devices on a protected computer running Microsoft Windows XP, if the driver sets the GUID class for external devices to the same value as the standard Windows driver GUID value.
- IP-address exclusions for the Log Inspection heuristic analyzer are not available on computers running a Windows XP operating system. The restriction is not valid for computers running Windows Vista or higher.
- The Log Inspection task does not detect Windows Event Log event ID602 on computers running Windows XP. The restriction is not valid for computers running Windows Vista or higher.
- The Log Inspection task detects entire Windows Event Log clearing only on computers running Windows Vista or higher.
- When the Firewall rule scope consists of one IP-address only, the IPv6 format support is unavailable.
- On the Firewall Management task launch the following rules types are automatically erased from the Windows Firewall rules list:
- deny rules
- outbound rules
- The application is unable to receive Windows Firewall events for the Firewall Management task log if installed on a computer running Microsoft Windows XP. Enabling of the audit process tracking in the Microsoft Windows local policy settings is required to activate the task log writing.
- Predefined rules for the Firewall Management policy ensure basic interaction between local computers and the Administration Server. For advanced functions usage you need to configure rules for ports manually. For more information about port numbers, protocols, and their functions, see this article.
- When requests are made by the Firewall Management task at minute intervals, the application does not control changes to Windows Firewall rules and groups of rules that were added when installing the Firewall Management component. To refresh the state and availability of such rules it is necessary to restart the task.
- For the proper functioning of the Firewall Management component on computers running a Microsoft Vista operating system or higher, you need to start the Windows Firewall Service (launched by default).
- The Application Setup Wizard warns that an excessively long path has been specified should full path to the Kaspersky Embedded Systems Security installation folder contain more than 150 characters. The warning does not affect the installation process.
- Installing the SNMP Protocol Support component requires restarting the SNMP service if this service is running.
- Windows Installer 3.1 is required for Kaspersky Embedded Systems Security to install and work properly on a computer running OS Microsoft Windows XP SP2. By default, the component is not included in the OS Microsoft Windows XP SP2 distribution kit. You can download Windows Installer 3.1 from the Microsoft oficial website.
- The Filter Manager component is required for Kaspersky Embedded Systems Security to install and work properly on a computer running embedded operating systems.
- Installation of Kaspersky Embedded Systems Security Administration Tools using Microsoft Active Directory group policies is not supported.
- When installing the application on the computers running an out-dated OS that is unable to receive updates, make sure that that the following root certificates are present in the system:
- DigiCert Assured ID Root CA
The application cannot be activated using a key from the installation wizard in the following cases:
- The key file is located on a disk created using the SUBST command.
- The specified path to the key file is a network path.Specify the path to the key file.
The Kaspersky Embedded Systems Security icon is hidden by default after the installation of critical updates.
- In Kaspersky Embedded Systems Security Console, the filter is case-sensitive for the following nodes: Quarantine, Backup, System Audit Log, Task Logs.
- The remote connection to the Kaspersky Embedded Systems Security Console is unavailable if the application is installed on a computer that is running Microsoft Windows XP SP2 with default network access configurations and is not connected to a domain. By default, the Guest only mode is applied for an XP SP2 local accounts security model. To activate the option of remote use of Console, manually change the value to Classic in the local policy security settings on a computer with Kaspersky Embedded Systems Security installed.
- When protection and scan scopes are configured using Kaspersky Embedded Systems Security Console, it is possible to use only one mask at the end of the path. Examples of correct masks:
This limitation does not apply to the Trusted Zone component.
To open the Kaspersky Embedded Systems Security Console by double-clicking the application icon in the tray notification area the user account must be included to KESS Administrators group. Otherwise, "About the application" window is opened. This occurs if the User Account Control is activated in the operating system parameters.
Kaspersky Security Center integration.
- Kaspersky Security Center Administration Server checks the application database updates before its distribution on the computer network. The application module updates are not verified by the Administration Server.
- When working with components that transfer dynamic, changing data to Kaspersky Security Center using network lists (such as Quarantine or Backup), make sure that the appropriate check boxes are ticked in the settings for Administration Server interaction.
- When the command line tool is applied, special characters are only displayed if the regional settings of the operating system match the current Kaspersky Embedded Systems Security localization.
- When basic authentication is used on a proxy server, authentication errors may occur when the user name or password are set using multi-byte encoding.
- When a file is restored from Quarantine or Backup, the Encrypted value in the file attributes is not restored.
- The mirror server cannot be used if the application connects to syslog-server via the UDP protocol.
- When connecting a USB device, there is a likelihood that the application will not recognize the device type. In this case only the device’s GUID will be displayed.
- The Device Instance Path values are specified in different formats for the Device Control component and the USB connections monitor functionality.