We are facing an issue where some users are formatting their computers to remove Kaspersky Endpoint Security

[Mirza Shoaib]

Dear All,

Please guide me regarding below queries;

 

·         Is there a feature in Kaspersky that can generate alerts when these actions occur.

·         Additionally, is there a feature in Kaspersky that can enforce the reinstallation of KES on computers (Formatted) that do not have KES and Network Agent (NA) when they connect to the network.

·         Can KSC generate an alert when a formatted machine (without KES or NA) reconnects to the network.

[THask]

Hello Mirza Shoaib,

normally Devices which are found with Discovery Settings will appear in the List unassigned Devices.

You can set a notification for the Event in KSC - Properties - Events - Info - New Device Detected

You can additional use relocation rules to move this Devices to a Group where Automatic Installation Tasks are running when a new Device is added.

 

[KarDip]

Hell @Mirza Shoaib

Below are the answers to your queries regarding Kaspersky Security Center (KSC) and Kaspersky Endpoint Security (KES):

---

1. Alert Generation for Specific Actions

Yes, Kaspersky Security Center (KSC) offers alerting mechanisms that can notify you when predefined actions occur. You can configure alerts and notifications through Policies and Event Configuration.

Steps to Generate Alerts:

1. Open Kaspersky Security Center (KSC) Console.
2. Navigate to Administration Server -> Notifications.
3. Select New Notification Rule.
4. Choose the specific Event or Action Type you want to monitor (e.g., blocked files, uninstallation of KES, failed installations).
5. Set the Trigger Conditions (e.g., when an endpoint reconnects or a KES event occurs).
6. Configure the Notification Method:
   • Email notifications (SMTP configuration required).
   • Windows Event Log or SNMP Trap for further integration.
7. Apply the configuration and deploy the policy.

You can monitor for critical events like:

• KES uninstallation.
• New device connections.
• Detection of unprotected devices without the Kaspersky agent.

---

2. Enforcing Reinstallation of KES and Network Agent (NA)

Kaspersky Security Center provides a Network Admission Control (NAC)-like feature via Unassigned Devices Discovery and Automatic Installation Tasks.

Automatic Reinstallation Configuration:

1. Open KSC Console -> Go to Device Discovery Tasks.
2. Create a New Device Discovery Task:
   • Use Ping Scan, DNS Scan, or NetBIOS scan to detect newly connected devices.
3. Configure Installation Tasks:
   • Navigate to Tasks -> New Task -> Select Remote Installation of Applications.
   • Choose KES and Network Agent (NA) as the applications to install.
4. Set the trigger to install automatically when a new or unprotected machine connects to the network.
5. Apply the force installation option (this will ensure KES and NA are installed even if they were removed or the device was formatted).

This ensures that every device connecting to your network without KES or NA will have them reinstalled automatically.

---

3. Alert for Formatted Machine Reconnecting to the Network

KSC can generate alerts when a machine that was previously formatted (and missing KES or NA) reconnects to the network.

How to Configure the Alert:

1. In KSC Console, go to Notifications -> New Notification Rule.
2. Select the event: “Device not managed” or “Network Agent not installed”.
3. Configure the notification to trigger when a device connects to the network without KES or NA.
4. You can also integrate with Device Discovery Tasks:
   • Create a discovery task for newly connected or unmanaged devices.
   • Enable the "Generate Alert on Detection" option in the discovery task settings.
5. Set the preferred notification method (email, SNMP trap, or event log).

---

Summary

• Alerts: Yes, KSC can generate alerts for key events like blocked actions, uninstallation of KES, and reconnections of devices without KES or NA.
• Automatic Reinstallation: Through Device Discovery Tasks, KSC can enforce the installation of KES and NA when a device connects to the network.
• Alert for Formatted Machines: Use Discovery Tasks to trigger alerts when unprotected devices reconnect to the network.

These configurations will ensure better security compliance and give you real-time alerts for essential actions. Let me know if further clarification is needed!

Thank you

Edited October 19 by KarDip
changed meanings words