Deploying the application using the command line

Kaspersky Endpoint Security is distributed in the DEB and RPM packages. There are separate packages for the application and for the graphical user interface.

You can perform the following actions when installing the application:

• Install only the application package, without the graphical user interface.
• Install the graphical user interface package.

  It is not possible to install the graphical user interface package on a client device that does not have the application package installed.

  If Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments (as part of Kaspersky Hybrid Cloud Security for Virtualization Light Agent), the graphical user interface is not supported. You need to install only the application package without the graphical user interface.

If the version of the apt package manager is lower than 1.1.X, use the dpkg/rpm package manager (depending on the operating system) for installation.

After the application installation using the command line is completed, perform the post-installation configuration of the application by running the post-installation configuration script or in the automatic mode.

Installing the application using the command line

Installing the application without the graphical interface.

To install Kaspersky Endpoint Security from an RPM package on a 32-bit operating system, execute the following command:

# rpm -i kesl-12.0-<build number>.i386.rpm

To install Kaspersky Endpoint Security from an RPM package on a 64-bit operating system, execute the following command:

# rpm -i kesl-12.0-<build number>.x86_64.rpm

To install Kaspersky Endpoint Security from an RPM package on a 64-bit operating system for the Arm architecture, execute the following command:

# rpm -i kesl-12.0-<build number>.aarch64.rpm

To install Kaspersky Endpoint Security from a DEB package on a 32-bit operating system, execute the following command:

# apt-get install ./kesl_12.0-<build number>_i386.deb

To install Kaspersky Endpoint Security from a DEB package on a 64-bit operating system, execute the following command:

# apt-get install ./kesl_12.0-<build number>_amd64.deb

To install Kaspersky Endpoint Security from a DEB package on a 64-bit operating system for the Arm architecture, execute the following command:

# apt-get install ./kesl_12.0-<build number>_arm64.deb

Installing the graphical interface of the application

To install the graphical interface from the RPM package to a 32-bit operating system, execute the following command:

# rpm -i kesl-gui-12.0-<build number>.i386.rpm

To install the graphical interface from the RPM package to a 64-bit operating system, execute the following command:

# rpm -i kesl-gui-12.0-<build number>.x86_64.rpm

To install the graphical interface from an RPM package on a 64-bit operating system for the Arm architecture, execute the following command:

# rpm -i kesl-gui-12.0-<build number>.aarch64.rpm

To install the graphical interface from the DEB package to a 32-bit operating system, execute the following command:

# apt-get install ./kesl-gui_12.0-<build number>_i386.deb

To install the graphical interface from the DEB package to a 64-bit operating system, execute the following command:

# apt-get install ./kesl-gui_12.0-<build number>_amd64.deb

To install the graphical interface from a DEB package on a 64-bit operating system for the Arm architecture, execute the following command:

# apt-get install ./kesl-gui_12.0-<build number>_arm64.deb

Post-installation configuration of the application in interactive mode

After installing Kaspersky Endpoint Security using the command line, perform the initial configuration of the application by running the initial configuration script. The initial configuration script is included in the Kaspersky Endpoint Security distribution kit.

Performing the post-installation configuration after installing the application using the command line is required to enable the protection of the client device.

To run the Kaspersky Endpoint Security initial configuration script, execute the following command:

# /opt/kaspersky/kesl/bin/kesl-setup.pl

The initial configuration script must be run with the root privileges after the installation of Kaspersky Endpoint Security package is finished. The script requests the values of Kaspersky Endpoint Security settings step-by-step. The script finishing and the console being released indicate that the post-installation configuration is completed.

To check the return code, execute the following command:

echo $?

If the command returns 0, the post-installation configuration of the application is completed successfully.

Kaspersky Endpoint Security protects the device only after the application databases are updated.

Selecting the application usage mode

At this step, select the Kaspersky Endpoint Security usage mode:

• Enter yes if you want to use Kaspersky Endpoint Security in Light Agent mode to protect virtual environments.
• Enter no if you want to use Kaspersky Endpoint Security in standalone mode.

After the initial configuration is complete, you cannot change the application usage mode.

Defining the role of the virtual machine

This step is displayed only if at the first step you selected to use Kaspersky Endpoint Security in Light Agent mode for protecting virtual environments.

At this step, specify the role of the virtual machine (server or workstation) on which you are installing Kaspersky Endpoint Security:

• Enter yes if you are using the virtual machine as a server.
• Enter no if you are using a virtual machine as a workstation.

The role of a virtual machine determines the license under which the application will be used on this virtual machine as well as the available functionality.

Enabling VDI protection mode

This step is displayed only if at the first step you selected to use Kaspersky Endpoint Security in Light Agent mode for protecting virtual environments.

At this step, you can enable VDI protection mode. This mode optimizes the operation of Kaspersky Endpoint Security on temporary virtual machines. If VDI protection mode is enabled, updates that require restarting the virtual machine are not installed. When receiving updates that require a restart, the Light Agent installed on the virtual machine sends a message to Kaspersky Security Center about the need to update the protected virtual machine template.

Specify yes if you want to enable VDI protection mode. This is recommended if you are installing Kaspersky Endpoint Security on a virtual machine template that will be used to create temporary virtual machines.

Specify no if you do not want to enable VDI protection mode. This is recommended if you are installing Kaspersky Endpoint Security on a persistent virtual machine or on a virtual machine template that will be used to create persistent virtual machines.

Selecting the locale

At this step, the application displays the list of supported locales in RFC 3066 format.

Specify the locale as it is listed here. This locale is used for the following purposes:

• Localization of the texts of the End User License Agreement, Privacy Policy, and Kaspersky Security Network Statement, which are displayed during the installation.
• Localization of application events sent to Kaspersky Security Center.

The locale of the graphical interface and the application command line is taken from the LANG environment variable. If the application does not support this localization, it defaults to the English localization.

Viewing the End User License Agreement and the Privacy Policy

At this step, read the End User License Agreement concluded between you and Kaspersky, and the Privacy Policy describing the handling and transmission of data.

Accepting the End User License Agreement

At this step, you must either accept or decline the terms of the End User License Agreement.

After exiting viewing mode, enter one of the following values:

• yes (or y), if you accept the terms of the End User License Agreement.
• no (or n), if you do not accept the terms of the End User License Agreement.

If you did not accept the terms and conditions of the End User License Agreement, the Kaspersky Endpoint Security setup process is aborted.

Accepting the Privacy Policy

At this step, you must either accept or decline the terms of the Privacy Policy.

After exiting viewing mode, enter one of the following values:

• yes (or y), if you accept the terms of the Privacy Policy.
• no (or n), if you do not accept the terms of the Privacy Policy.

If you did not accept the terms and conditions of the Privacy Policy, the Kaspersky Endpoint Security setup process is aborted.

Using Kaspersky Security Network

At this step, you must either accept or decline the terms of use of the Kaspersky Security Network Statement. The file ksn_license.<language ID> containing the text of the Kaspersky Security Network Statement is located in the directory /opt/kaspersky/kesl/doc/.

Enter one of the following values:

• yes (or y), if you accept the terms of the Kaspersky Security Network Statement. This enables the extended KSN mode.
• no (or n), if you do not accept the terms of the Kaspersky Security Network Statement.

Refusal to participate in Kaspersky Security Network does not interrupt the initial configuration of Kaspersky Endpoint Security. You can enable, disable, or change the Kaspersky Security Network mode at any time.

If Kaspersky Endpoint Security is used in standalone mode and you have enabled the use of Kaspersky Security Network, the application's cloud mode is automatically enabled. In this mode, Kaspersky Endpoint Security uses a lightweight version of the malware databases. In Light Agent mode for protecting virtual environments, use of the lightweight malware databases is not supported.

Removing users from privileged groups

This step is displayed only if users are detected in the kesladmin group and/or in the keslaudit group.

At this step, specify whether or not to remove users from the kesladmin and keslaudit privileged groups. Users included in the kesladmin and keslaudit groups receive privileged access to the application's functions.

Enter yes to remove all detected users from the kesladmin and/or keslaudit group. Users whose primary group is kesladmin or keslaudit will be moved to the nogroup group. If there is no nogroup group, the installation will fail and you will be prompted to manually remove users from privileged groups.

Enter no if you do not want the application to remove users from the privileged groups.

Assigning the Administrator role to a user

At this step, you can grant the administrator (admin) role to the user.

Enter the name of the user to whom you want to grant the administrator role. You need the Administrator role to manage application settings and task settings in the graphical interface of the application and on the command line without using the sudo command.

You can assign the administrator role to a user later, after completing the initial configuration.

Determining the file operation interceptor type

At this step, the file operation interceptor type for the utilized operating system is determined. For operating systems that do not support fanotify technology, kernel module compilation will begin.

If all the required packages are available, the kernel module will be automatically compiled when the File Threat Protection task starts.

If, during the compilation of the kernel module, any dependencies are not found on the device, the Kaspersky Endpoint Security application suggests installing the relevant packages. If the package download fails, an error message will be displayed.

Enabling automatic configuration of SELinux

This step is displayed only if SELinux is installed on your operating system.

At this step, you can enable automatic configuration of SELinux for working with Kaspersky Endpoint Security.

Enter yes to enable automatic configuration of SELinux. If SELinux cannot be configured automatically, the application displays an error message and prompts the user to configure SELinux manually.

Enter no if you do not want the application to automatically configure SELinux.

By default, the application suggests yes.

If necessary, you can manually configure SELinux to work with the application later, after the initial configuration of the application is complete.

Configuring the update source

This step is displayed only if you selected to use Kaspersky Endpoint Security in standalone mode at the first step. If Kaspersky Endpoint Security is used in Light Agent mode, Kaspersky Endpoint Security receives updates of databases and application modules for the Light Agent from the Protection Server.

At this step, specify the update sources for databases and application modules.

Enter one of the following values:

• KLServers: the application receives updates from one of the Kaspersky update servers.
• SCServer: the application downloads updates to the protected device from Kaspersky Security Center Administration Server installed in your organization. You can select this update source if you use Kaspersky Security Center for centralized administration of device protection in your organization.
• <URL>: the application downloads updates from a custom source. You can specify the address of the custom source of updates in the local area network or on the Internet.
• <path> – the application receives updates from the specified directory.

Configuring proxy server settings

This step is displayed only if you selected to use Kaspersky Endpoint Security in standalone mode at the first step.

At this step, you must specify the proxy server settings if you are using a proxy server to access the Internet. Internet connection is required to download the application databases from the update servers.

To configure proxy server settings, perform one of the following actions:

• If you use a proxy server to connect to the Internet, specify the address of the proxy server using one of the following formats:
  • <IP address of the proxy server>:<port number>, if the proxy server connection does not require authentication;
  • <user name>:<password>@<IP address of the proxy server>:<port number>, if the proxy server connection requires authentication.

    When connecting via an HTTP proxy, we recommend to use a separate account that is not used to sign in to other systems. An HTTP proxy uses an insecure connection, and the account may be compromised.

• If you do not use a proxy server to connect to the Internet, enter no as your answer.

By default, the application suggests no.

You can configure the proxy server settings later without using the post-installation configuration script.

Starting an application database update

This step is displayed only if you selected to use Kaspersky Endpoint Security in standalone mode at the first step. If Kaspersky Endpoint Security is used in Light Agent mode, Kaspersky Endpoint Security receives updates of databases and application modules for the Light Agent from the Protection Server.

At this step, you can run the application database update task on the client device. The application databases contain descriptions of the threat signatures and methods of countering them. The application uses these records when searching and neutralizing threats. Kaspersky virus analysts regularly add new records about threats.

If you do not want to start to download the application databases, enter no.

If you want to start the database update task on the device, enter yes.

By default, the application suggests yes.

If yes is selected, the application will be automatically restarted after the databases are updated.

Kaspersky Endpoint Security protects the device only after the application databases are updated.

You can start the Update task without using the initial configuration script.

Enabling automatic application database update

This step is displayed only if you selected to use Kaspersky Endpoint Security in standalone mode at the first step. If Kaspersky Endpoint Security is used in Light Agent mode, Kaspersky Endpoint Security receives updates of databases and application modules for the Light Agent from the Protection Server.

At this step, you can enable automatic update of the application databases.

Enter yes to enable automatic application database update. By default, the application checks for available database updates every 60 minutes. If updates are available, the application downloads the updated databases.

Enter no if you do not want the application to automatically update the databases.

You can enable automatic database update without using the initial configuration script by configuring the update task schedule.

Application activation

This step is displayed only if you selected to use Kaspersky Endpoint Security in standalone mode at the first step. If Kaspersky Endpoint Security is used in Light Agent mode, Kaspersky Endpoint Security receives information about the license from the Protection Server; there is no need to activate Kaspersky Endpoint Security separately.

At this step, activate the application using an activation code or a key file.

To activate the application using an activation code, enter the activation code.

To activate the application using a key file, specify the full path to the key file.

If no activation code or key file is specified, the application is activated using a trial key for one month.

You can activate the application later without using the post-installation configuration script.

Post-installation configuration of the application in automatic mode

You can perform post-installation configuration of the application in automatic mode.

To launch the automatic initial setup of the application, carry out the following command:

# /opt/kaspersky/kesl/bin/kesl-setup.pl --autoinstall=<initial configuration file>

where <post-installation configuration file> is a path to the configuration file that contains post-installation configuration settings. You can create this file or copy the necessary structure from the autoinstall.ini configuration file used for remote installation of the application using Kaspersky Security Center.

When the post-installation configuration script is finished and releases the console, the post-installation configuration of the application is complete.

To check the return code, execute the following command:

echo $?

If the command returns 0, the post-installation configuration of the application is completed successfully.

Kaspersky Endpoint Security protects the device only after the application databases are updated.

To correctly update application modules after the script has finished, you may need to restart the application. Check the status of updates for the application using the kesl-control --app-info command.

Settings in the configuration file for post-installation configuration

In the post-installation configuration file, you can specify the settings shown in the table below. The set of applicable settings depends on the application usage mode.

Settings in the configuration file for post-installation configuration

If you want to change the settings in the configuration file for initial setup of the application, specify the values of settings in the following format: <setting_name>=<setting_value> (the application does not process spaces between the name of a setting and its value).