Registering the Kaspersky Security Service as a protected service
3 August 2023
Protected Process Light ("PPL") technology ensures that the operating system only loads trusted services and processes. To start a service as a protected service, the Early Launch Antimalware driver must be installed on the device.
An Early Launch Antimalware ("ELAM") driver provides protection for devices in your network when they start and when third-party drivers are initialized.
An ELAM driver is automatically installed during Kaspersky Industrial CyberSecurity for Nodes installation and is used for registering the Kaspersky Security Service as a PPL when the operating system starts. When the Kaspersky Security Service (KAVFS) is started as a system protected process, other non-protected processes on the system are not able to inject threads, write into the virtual memory of the protected process, or stop the service.
When a process is started as a PPL, it cannot be managed by a user regardless of the assigned user permissions. The Kaspersky Security Service can be registered as PPL using the ELAM driver on Microsoft Windows Server 2016 RS3 build 16299 and higher operating systems. If you install Kaspersky Industrial CyberSecurity for Nodes on a protected device running an operating system that supports PPL, permission management will not be available for the Kaspersky Security Service (KAVFS).
To install Kaspersky Industrial CyberSecurity for Nodes as a PPL, run the following command:
msiexec /i kics_x64.msi NOPPL=0 EULA=1 PRIVACYPOLICY=1 /qn