Contents
- Installing and uninstalling Kaspersky Endpoint Agent
- Preparing for Kaspersky Endpoint Agent installation
- Installing Kaspersky Endpoint Agent
- Installing and uninstalling Kaspersky Endpoint Agent locally
- Installing Kaspersky Endpoint Agent using Kaspersky Security Center
- Installing Kaspersky Endpoint Agent administration tools
- Updating Kaspersky Endpoint Agent from the previous version
- Repairing Kaspersky Endpoint Agent
- Changes in the system after Kaspersky Endpoint Agent installation
Installing and uninstalling Kaspersky Endpoint Agent
This section contains information on how to install Kaspersky Endpoint Agent on a device, how to update the application from a previous version, and how to remove the application from a device.
Preparing for Kaspersky Endpoint Agent installation
Before installing Kaspersky Endpoint Agent on a device or updating the application from a previous version, make sure that the following conditions are met:
- The device complies with the hardware and software requirements.
- You have the permissions required to install the application.
If any of these conditions is not met, the corresponding notification will be displayed.
Installing Kaspersky Endpoint Agent
Kaspersky Endpoint Agent installation can be performed:
- Locally using the Installation Wizard.
- Locally using the command line.
- Remotely using Kaspersky Security Center.
- Remotely using Microsoft Windows Group Policy Management Editor (for details, visit the Microsoft Technical Support website).
For remote installation, the settings can be passed using the
configuration file. Before you do so, first place the install_props.json file in the same folder as the endpointagent.msi file.
Installing and uninstalling Kaspersky Endpoint Agent locally
This section contains information on how to install Kaspersky Endpoint Agent locally on a device.
Installing Kaspersky Endpoint Agent using the Installation Wizard
The interface of the Installation Wizard application consists of a sequence of windows corresponding to the application installation steps.
To install the application or update it from a previous version using the application Installation Wizard,
copy the endpointagent.msi file that is included in the distribution kit to the user device and run it.
The application Installation Wizard starts.
After Kaspersky Endpoint Agent is installed on the device, the Installation Wizard can be launched on this device in one of the following modes:
- Restore damaged application modules.
- Uninstall the application from the device.
Removing Kaspersky Endpoint Agent using the Installation and Uninstallation Wizard
You can uninstall Kaspersky Endpoint Agent using standard Microsoft Windows installation and uninstallation tools. To uninstall the application, the wizard is launched. As a result of its operation, all application components will be removed from the device.
All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the application is uninstalled.
Installing, restoring and uninstalling the application using the command line
Kaspersky Endpoint Agent can be installed and uninstalled using the msi package by setting the values of MSI properties in a standard way. For more information on using standard Windows Installer commands and keys, refer to the documentation provided by Microsoft.
Installing Kaspersky Endpoint Agent
An example of installing the application in quiet mode with default settings is shown below. After starting the application installation in quiet mode, your participation in the installation process is not required.
Installing Kaspersky Endpoint Agent in quiet mode requires acceptance of the terms and conditions of the End User License Agreement and Privacy Policy. Use the EULA=1 and PRIVACYPOLICY=1 parameters only if you have fully read, understood, and accept the terms of the End User License Agreement and Privacy Policy.
Example:
|
Command parameters for installing Kaspersky Endpoint Agent
Parameter |
Description |
|---|---|
|
Required parameter. This parameter indicates whether the user consents to or declines the terms of the End User License Agreement. Values:
|
|
Required parameter. This parameter indicates whether the user consents or declines the terms of the Privacy Policy. Values:
|
|
This parameter sets the flag for using the hardware identifier in the form of the value of the Values:
|
Repairing Kaspersky Endpoint Agent
An example of restoring the application in quiet mode is shown below. After starting application restoration in quiet mode, your participation in the restoration process is not required.
Example:
|
Uninstalling Kaspersky Endpoint Agent
An example of uninstalling the application in quiet mode is shown below. After starting application uninstallation in quiet mode, your participation in the uninstallation process is not required.
Example:
If the application is password protected:
|
All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the application is uninstalled.
Installing Kaspersky Endpoint Agent using Kaspersky Security Center
Kaspersky Endpoint Agent can be installed using a remote installation task in Kaspersky Security Center. Installation consists of the following steps:
Kaspersky Security Center also supports other methods of installing applications on groups of managed devices. For more information about installation using a remote installation task and other installation methods, refer to the Kaspersky Security Center Help.
When creating an installation package using Kaspersky Security Center 12 and later in order to install Kaspersky Endpoint Agent on devices running Windows XP, use the installation startup file (setup.exe) from the installation package created using Kaspersky Security Center 10.5.
Creating Kaspersky Endpoint Agent installation package
An installation package is a set of files generated for the remote installation of a Kaspersky application using Kaspersky Security Center. The installation package contains the required settings to install the application and ensure its operation immediately after installation. The installation package is created on the basis of the file with the KUD extension included in the application distribution package.
Creating an installation package in the Administration Console.
Creating an installation package in the Web Console and in the Cloud Console.
When creating an installation package using Kaspersky Security Center 12 and later in order to install Kaspersky Endpoint Agent on devices running Windows XP, use the installation startup file (setup.exe) from the installation package created using Kaspersky Security Center 10.5.
Page topCreating Kaspersky Endpoint Agent remote installation task
The Remote application installation task is intended for the remote installation of Kaspersky Endpoint Agent using Kaspersky Security Center. To install the application, the task uses the application installation package.
Creating a remote installation task in the Administration Console.
Creating a remote installation task in the Web Console and in the Cloud Console.
Page topInstalling Kaspersky Endpoint Agent administration tools
This section contains information on how to install Kaspersky Endpoint Agent Management plug-in for managing Kaspersky Endpoint Agent using Kaspersky Security Center Administration Console or Kaspersky Endpoint Agent Management web plug-in for managing Kaspersky Endpoint Agent using Kaspersky Security Center Web Console.
Installing and updating Kaspersky Endpoint Agent Management plug-in
The Kaspersky Endpoint Agent Management plug-in must be installed in order to manage Kaspersky Endpoint Agent using the Kaspersky Security Center Administration Console.
To install the Kaspersky Endpoint Agent Management plug-in,
copy the klcfginst.msi file from the distribution kit to the device on which Kaspersky Security Center Administration Console is installed and run the file.
The application Installation Wizard starts.
Updating a previously installed version of the Kaspersky Endpoint Agent Management plug-in
This update is only available for the Kaspersky Endpoint Agent Management plug-in versions 3.7 and later.
When installing a plug-in on a device with a previous plug-in version:
- All the setting values, including policies, group and local tasks, are migrated to the new plug-in version, and the previously installed plug-in version is automatically removed.
- The Kaspersky Endpoint Agent settings that were not available in the previous plug-in version are set to default values and can be configured.
To apply previously unavailable settings, after updating the plug-in, change the desired policy or task and save your changes.
- Policy templates created in the previous plug-in version are available in the new plug-in version.
You can use the new plug-in to manage previous Kaspersky Endpoint Agent versions. However, previous versions of Kaspersky Endpoint Agent do not support and do not apply the settings that have appeared in the new plug-in version.
Page topInstalling and updating Kaspersky Endpoint Agent Management web plug-in
Kaspersky Endpoint Agent Management web plug-in must be installed to manage Kaspersky Endpoint Agent using Kaspersky Security Center Web Console.
You can install the web plug-in in one of the following ways:
- Using the Initial Setup Wizard of the Kaspersky Security Center Web Console.
- From the list of available distribution packages in the Kaspersky Security Center Web Console.
For detailed information on installing management web plug-ins, refer to the Kaspersky Security Center Help.
- By downloading the distribution package to the Kaspersky Security Center Web Console from a third-party source.
To install the web plug-in, add a ZIP archive with the distribution package of the Kaspersky Endpoint Agent web plug-in to the Web Console interface (Console settings → Web plug-ins). You can download the web plug-in distribution kit, for example, from Kaspersky's website.
Updating a previously installed version of the Kaspersky Endpoint Agent Management web plug-in
When installing a plug-in on a device with a previous plug-in version:
- All the setting values, including policies, group and local tasks, are migrated to the new plug-in version, and the previously installed plug-in version is automatically removed.
- The Kaspersky Endpoint Agent settings that were not available in the previous plug-in version are set to default values and can be configured.
To apply previously unavailable settings, after updating the plug-in, change the desired policy or task and save your changes.
- Policy templates created in the previous plug-in version are available in the new plug-in version.
You can use the new plug-in to manage previous Kaspersky Endpoint Agent versions. However, previous versions of Kaspersky Endpoint Agent do not support and do not apply the settings that have appeared in the new plug-in version.
Page topUpdating Kaspersky Endpoint Agent from the previous version
Only Kaspersky Endpoint Agent version 3.8 and later can be updated. The update is possible for application versions installed both as part of the
application and independently. The update can be performed by installing the new version.When you update Kaspersky Endpoint Agent, the current license is automatically applied to Kaspersky Endpoint Agent. The license term will remain unchanged. When updating the application with an expired license, the new application version works in limited functionality mode after installation.
If the license for the updated version has expired, you can add the license key during the update. The key file can be passed using one of the specified methods.
When Kaspersky Endpoint Agent is installed on a device with a previous version of Kaspersky Endpoint Agent, first all
is saved and used, then the previous version of the application is automatically uninstalled.If Kaspersky Endpoint Agent is installed on a device with a previous version of Kaspersky Endpoint Agent, you will need to create an account to connect to Kaspersky Security Center and migrate data from the previous version. The account uses the default name: AutoIOC_Admin and a password specified by the user.
When updating a previous version of Kaspersky Endpoint Agent that is password protected, you must pass this password to the installer in one of the following ways:
- When installing the application locally using the installation wizard interface or interactively using the command line, specify the password at the appropriate step.
- When installing the application locally using the command line in quiet mode, specify the password as the value of the
UNLOCK_PASSWORDkey. - When installing the application remotely using Kaspersky Security Center, pass the current password in the installation package settings.
When updating Kaspersky Endpoint Agent as part of EPP, you can pass the password as the value of the UNLOCK_PASSWORD key in the install_props.json configuration file.
The application password passed through the install_props.json configuration file is stored in the file in non-encrypted form. To reduce the probability of unauthorized access to this data, it is recommended to restrict access to the install_props.json file and delete it from the device after installing or updating the application.
Starting from version 3.10,
(also referred to as KMP) usage cannot be configured by means of Kaspersky Endpoint Agent. If usage of the KMP service was enabled in the previous Kaspersky Endpoint Agent version, the KMP service continues functioning after the application is updated to version 3.10 and later. After the application update, you can disable the KMP service only using Kaspersky Endpoint Agent Administration Plug-in or Kaspersky Endpoint Agent Web Plug-in of versions earlier then 3.10.When installing a plug-in on a device with a previous plug-in version:
- All the setting values, including policies, group and local tasks, are migrated to the new plug-in version, and the previously installed plug-in version is automatically removed.
- The Kaspersky Endpoint Agent settings that were not available in the previous plug-in version are set to default values and can be configured.
To apply previously unavailable settings, after updating the plug-in, change the desired policy or task and save your changes.
- Policy templates created in the previous plug-in version are available in the new plug-in version.
You can use the new plug-in to manage previous Kaspersky Endpoint Agent versions. However, previous versions of Kaspersky Endpoint Agent do not support and do not apply the settings that have appeared in the new plug-in version.
Repairing Kaspersky Endpoint Agent
If you launch Kaspersky Endpoint Agent installer in Repair mode, it will check and restore the integrity of all damaged application modules and system registry keys created during the application's installation.
You can run the installer in Repair mode in one of the following ways:
- Locally using Kaspersky Endpoint Agent Installation Wizard.
- Locally using the command line.
- Remotely using Kaspersky Security Center by performing one of the following actions (for details, refer to Kaspersky Security Center Help):
- By selecting the Repair application if it is already installed check box when creating the installation package.
- By specifying the
REINSTALL=ALLparameter when creating a custom installation package.
If Kaspersky Endpoint Agent installer is launched in Repair mode and the application does not need to be repaired, the installer will not perform any changes on the device.
If Kaspersky Endpoint Agent installer is launched in Repair mode and the application is not installed on the device, the application installation will start.
If Kaspersky Endpoint Agent installer is launched in Repair mode locally using the command line or remotely using Kaspersky Security Center, and the settings of the installed application differ from the settings specified in the installer, the installer will be launched in the mode for changing the settings of the installed application.
Page topChanges in the system after Kaspersky Endpoint Agent installation
The Windows Installer service performs the following changes on the protected device during the installation of Kaspersky Endpoint Agent:
- Creates Kaspersky Endpoint Agent folders.
- Registers Kaspersky Endpoint Agent keys in the system registry.
- Registers Kaspersky Endpoint Agent services and drivers.
Kaspersky Endpoint Agent folders on the protected device
When Kaspersky Endpoint Agent is installed, the following folders are created on the device:
- The default Kaspersky Endpoint Agent installation folder that contains Kaspersky Endpoint Agent executable files:
- On a 32-bit version of Microsoft Windows: %ProgramFiles%\Kaspersky Lab\Endpoint Agent\
- On a 64-bit version of Microsoft Windows: %ProgramFiles (x86)%\Kaspersky Lab\Endpoint Agent\
- Folder containing Kaspersky Endpoint Agent (x86) drivers:
- On a 32-bit version of Microsoft Windows: %ProgramFiles%\Kaspersky Lab\Endpoint Agent\drivers\<OS version>\<driver name>
- On a 64-bit version of Microsoft Windows: %ProgramFiles (x86)%\Kaspersky Lab\Endpoint Agent\drivers\x64\<OS version>\<driver name>
- Folders containing IOC files:
- In 32-bit version of Microsoft Windows:
- %ProgramFiles%\Kaspersky Lab\Endpoint Agent\openioc
- %ProgramFiles%\Kaspersky Lab\Endpoint Agent\openioc\1.0
- %ProgramFiles%\Kaspersky Lab\Endpoint Agent\openioc\1.1
- In 64-bit version of Microsoft Windows:
- %ProgramFiles (x86)%\Kaspersky Lab\Endpoint Agent\openioc
- %ProgramFiles (x86)%\Kaspersky Lab\Endpoint Agent\openioc\1.0
- %ProgramFiles (x86)%\Kaspersky Lab\Endpoint Agent\openioc\1.1
- In 32-bit version of Microsoft Windows:
- Folders containing Kaspersky Endpoint Agent system files:
- %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data
- %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Cache
- %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Cache\Images
- %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Cache\Queue
- %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Cache\Queue\Kata
- %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Cache\Queue\Kmp
- %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Cache\Queue\Syslog
- %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Hunts
- %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\killchain
- %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Settings
- %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Tasks
- %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\DSKM
- %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Temp
- %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Temp\Tasks
- %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Bases
- Folder containing system files for Kaspersky Security Network's operation.
- %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Ksn
- Folder containing quarantined files:
- %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Quarantine
- Folder containing files restored from quarantine:
- %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Restored
- Folder containing Kaspersky Security Center policy configuration files:
- %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Policy
- Folders containing system files for Kaspersky Sandbox's operation:
- %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Sandbox
- %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Sandbox\Queue
- Folder containing files of updatable components:
- %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Update
- Folder containing shortcut files for the Start menu:
- %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Kaspersky Endpoint Agent
Kaspersky Endpoint Agent services and drivers
The following Kaspersky Endpoint Agent services are registered and started under the system account (SYSTEM):
- SOYUZ.exe is the main Kaspersky Endpoint Agent service that manages its tasks and operation processes.
- VOSTOK.dll (executed in proton.exe) is a service that facilitates the interaction between Kaspersky Endpoint Agent and the Central Node component.
- ANGARA.dll (executed in proton.exe) is a service that facilitates the interaction between Kaspersky Endpoint Agent and EPP in scenarios of Kaspersky Sandbox integration.
The following Kaspersky Endpoint Agent drivers are registered on the device:
- klsnsr.sys is Event Tracing for Windows (ETW) driver.
- klncap.sys is ETW network packet analyzer.
When installed on a device running Microsoft Windows XP, the klncapxp.sys driver is registered instead of klncap.sys.
System registry keys
As a result of Kaspersky Endpoint Agent's installation, the following registry keys are created:
Registry keys are listed in the 32-bit application view.
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\SOYUZ\4.0.0.0\ProdDisplayName]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\SOYUZ\4.0.0.0\ProdVersion]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\SOYUZ\4.0.0.0\ConnectorVersion]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\SOYUZ\4.0.0.0\ConnectorFlags]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\SOYUZ\4.0.0.0\NagentMinVer]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\SOYUZ\4.0.0.0\ConnectorPath]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\SOYUZ\4.0.0.0\Installer\UninstallString3]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\SOYUZ\4.0.0.0\Installer\UninstallString3KPD]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\SOYUZ\4.0.0.0\Installer\ProductCode]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\NoPPL]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\BFESDDL]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\CrashDump\Enable]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\CrashDump\Folder]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\CrashDump\Enable(Example)]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\CrashDump\Folder(Example)]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Environment\EnableKillChain]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Environment\SvmUpdateMode]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Environment\MsiPath]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Environment\AgentPath]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Environment\EventsExpirationTimeout]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Install\InstallID]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Install\InstallTime]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Install\InstallLCID]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Install\InstallLocalization]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Install\InstallPlatformType]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Install\Version]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Trace\Configuration]
- [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Trace\Configuration(Example)]
- [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\StartMenu]
- [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\UninstallShortcut2]
- [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\RelNotes]
- [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\License]
- [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\Ksn]
- [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\Kmp]
- [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\ProductUrl]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\angara]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klelaml]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klncap]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klncapxp]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klsnsr]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vostok]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\soyuz]