Kaspersky Endpoint Security 11.1 for Windows Kaspersky Endpoint Security for Windows (hereinafter also referred to as the application or as Kaspersky Endpoint Security) gives corporate users all-in-one protection against known digital threats. WHAT'S NEW IN KASPERSKY ENDPOINT SECURITY 11.1 FOR WINDOWS 1. Support for operating systems: Added support for migrating an installed Kaspersky Endpoint Security 11.1 for Windows when upgrading Windows 7 / 8 / 8.1 to Windows 10. Added support for integration with Windows Defender Security Center. Added support for Antimalware Scan Interface (AMSI). Added support for Windows Subsystem for Linux (WSL). 2. Support for managing the application via the Kaspersky Security Center 11 Web Console. 3. Support for updating databases from Kaspersky Lab servers over the HTTPS protocol. 4. New component: Adaptive Anomaly Control. This component monitors and blocks potentially harmful actions that are not typical of the protected computer. Please note: the Adaptive Anomaly Control component can be managed only through Kaspersky Security Center 11. 5. Added capability for the Web Control, Mail Threat Protection, and Web Threat Protection components to scan network traffic that is transmitted over encrypted connections using the following protocols: SSL 3.0. TLS 1.0, TLS 1.1, TLS 1.2. 6. Added new functionality for the Network Threat Protection component to protect against attacks that exploit vulnerabilities in the ARP protocol to spoof a device's MAC address. 7. Added a protection level indicator to the installation package used for remote deployment of the application. The indicator displays the security level when selecting application components to be installed. Please note: protection level indicator for installation packages is supported only by Kaspersky Security Center 11. 8. Added new categories to the Web Control component: Cryptocurrencies and Mining. Added new subcategories to the Regional legal restrictions category: Blocked as required by Belgian law. Blocked as required by Japanese law. 9. Application Control: New capability to create and edit application categories from a Kaspersky Endpoint Security 11.1 for Windows policy. Improved reports about blocked application startups. 10. Reduced consumption of operating system resources when the application is operating in the background. Reduced scan time and consumption of operating system resources when performing the Background scan task. Instead of scheduled scan, background scan is used by default in the following cases: When Kaspersky Security Center 11 is initially deployed and configured, the quick virus scan task is not created. When Kaspersky Endpoint Security 11.1 for Windows is newly installed, the local Full Scan task is created with the “Manually” run schedule. When Kaspersky Endpoint Security 11.1 for Windows is installed over previous versions of the application, the “Manually” run schedule is applied to the local Full Scan task. 11. Other improvements: Optimized mechanism for scan exclusions to ensure the operation of critical system processes and services. There is no longer need to create predefined exclusions recommended by Kaspersky Lab experts during the installation stage. A report on the state of application components has been added to Kaspersky Security Center. The password protection settings now provide the capability to grant application management permissions to domain users and groups. There is now the capability to password-protect the restoration of objects from Backup. You can now supplement the policy-defined lists of trusted zone exclusions by using lists defined in profiles. MINIMUM CONFIGURATION For the application to work properly, the computer must meet the following requirements: General requirements: Processor with a clock speed of 1 GHz or more (that supports the SSE2 instruction set) RAM: 1 GB (for 32-bit operating systems) 2 GB (for 64-bit operating systems) Hard drive: 2 GB of free disk space Operating systems: Microsoft Windows 10 Home / Pro / Education / Enterprise x86 / х64. For details about support for Microsoft Windows 10, please refer to the article at https://support.kaspersky.com/13036. Microsoft Windows 8.1 Pro / Enterprise x86 / х64. Microsoft Windows 8 Pro / Enterprise x86 / х64. Microsoft Windows 7 Home / Professional / Enterprise x86 / х64 SP1 or later. Microsoft Windows Server 2019 Essentials / Standard х64. Microsoft Windows Server 2016 х64. For details about support for Microsoft Windows Server 2016, please refer to the article at https://support.kaspersky.com/13036. For details about support for Microsoft Windows Server 2016 Essentials / Standard, please refer to the article at https://support.kaspersky.com/13036. Microsoft Windows Server 2012 R2 Foundation / Essentials / Standard х64. Microsoft Windows Server 2012 Foundation / Essentials / Standard х64. Microsoft Windows MultiPoint Server 2011 x64. Microsoft Small Business Server 2011 Essentials / Standard х64. Microsoft Windows Server 2008 R2 Foundation / Standard / Enterprise х64 SP1. Microsoft Windows Server 2008 Standard / Enterprise х64 SP2. Microsoft Small Business Server 2008 Standard / Premium x64. Server platform support limitations: The ReFS file system is supported with limitations. The Server Core and Cluster Mode configurations are not supported. Full Disk Encryption (FDE) and File Level Encryption (FLE) on server platforms are not supported. Supported virtual platforms: VMWare Workstation 14 VMWare ESXi 6.5 U1. Microsoft Hyper-V 2016 Server. Microsoft Hyper-V 2019 Server. Citrix XenServer 7.2. Citrix XenDesktop 7.17. Citrix XenApp 7.17. Citrix Provisioning Services 7.17. For other details regarding support for virtual platforms, please refer to https://support.kaspersky.com/14967. APPLICATION COMPATIBILITY WITH KASPERSKY SECURITY CENTER The application is compatible with Kaspersky Security Center 11 and 10 Service Pack 3. Please note: managing the Adaptive Anomaly Control component, support of protection level indicator for installation packages, reports on the new components (Adaptive Anomaly Control and AMSI Protection Provider), and reports on the status of the running or paused components are available only in Kaspersky Security Center 11. To manage the application remotely via Kaspersky Security Center: 1. Install Network Agent on the computer. For detailed information, refer to Kaspersky Security Center Help. 2. Install the Kaspersky Endpoint Security for Windows Management Plug-in in Kaspersky Security Center Administration Console or in in Kaspersky Security Center 11 Web Console. The installation file of the Management Plug-in is included in the application distribution package. Special considerations for using the Kaspersky Endpoint Security 11.1 Management plug-in with policies and tasks that were created using the Kaspersky Endpoint Security 11 or 11.0.1 Management plug-in, as well as details of applying policies and tasks that were created using the Kaspersky Endpoint Security 11 or 11.0.1 Management plug-in, are described in the help article: https://help.kaspersky.com/KESWin/11.1.0/en-US/134238.htm. Important note! The Kaspersky Endpoint Security 11.1 for Windows plug-in is installed over the Kaspersky Endpoint Security 11.0 for Windows plug-in. To return to the version 11.0 plug-in, first remove the 11.1 version of the plug-in. INSTALLING FROM THE DISTRIBUTION PACKAGE To install the application locally, run the setup_kes.exe file from the full distribution package and follow the Setup Wizard instructions. See the Kaspersky Endpoint Security help to learn more about the installation methods. During installation, Kaspersky Endpoint Security for Windows detects and allows you to uninstall applications that may affect the performance of the user's computer or cause other problems (even to the point of complete inoperability) when running at the same time as the product. The full list of incompatible software is available at https://support.kaspersky.com/14208. You can update the following applications to Kaspersky Endpoint Security 11.1 for Windows when installing from the full distribution package: Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 2 for Windows (build 10.2.4.674). Special considerations for installing the update on a computer that has the AES Encryption Module installed are described in the section titled APPLICATION COMPATIBILITY WITH AES ENCRYPTION MODULES AND DETAILS ON UPDATING ENCRYPTION TO VERSION 11.1. Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 3 for Windows (build 10.2.5.3201) Special considerations for installing the update on a computer that has the AES Encryption Module installed are described in the section titled APPLICATION COMPATIBILITY WITH AES ENCRYPTION MODULES AND DETAILS ON UPDATING ENCRYPTION TO VERSION 11.1. Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 4 for Windows (build 10.2.6.3733). Special considerations for installing the update on a computer that has the AES Encryption Module installed are described in the section titled APPLICATION COMPATIBILITY WITH AES ENCRYPTION MODULES AND DETAILS ON UPDATING ENCRYPTION TO VERSION 11.1. Kaspersky Endpoint Security 10 Service Pack 2 for Windows (build 10.3.0.6294); Kaspersky Endpoint Security 10 Service Pack 2 Maintenance Release 1 for Windows (build 10.3.0.6294); Kaspersky Endpoint Security 10 Service Pack 2 Maintenance Release 2 for Windows (build 10.3.0.6294); Kaspersky Endpoint Security 10 Service Pack 2 Maintenance Release 3 for Windows (build 10.3.3.275); Kaspersky Endpoint Security 11 for Windows (build 11.0.0.6499); Kaspersky Endpoint Security 11.0.1 for Windows (build 11.0.1.90). Important note! Updating applications version 10 Service Pack 2 or later is NOT supported if the effective key length of the distribution package is different from the key length of the distribution package originally used to install the application, even if the Full Disk Encryption (FDE) or File Level Encryption (FLE) components are not installed on the computer. Use a distribution package version 11.1 with the same key length as the installed version that you are going to upgrade. For example: keswin_11.1.0.XXXX__aes256 if you are upgrading an application that was installed from the AES256 distribution package. keswin_11.1.0.XXXX__aes56 if you are upgrading an application that was installed from the AES56 distribution package. Upgrading from beta versions to Kaspersky Endpoint Security 11.1 for Windows is not supported. Applying policies and tasks that were created or modified using a beta version of the Plug-in to computers that have Kaspersky Endpoint Security 11.1 installed is also not supported. UPGRADING VIA THE KASPERSKY LAB UPDATE SERVICE Kaspersky Endpoint Security 11.1 for Windows can be installed via the Kaspersky Lab update service. You can update the following applications using the Kaspersky Lab update service: Kaspersky Endpoint Security 11.0.1 for Windows (build 11.0.1.90). Upgrading from beta versions to Kaspersky Endpoint Security 11.1 for Windows is not supported. Please note the following special considerations when updating an application via the Kaspersky Lab update service: After you install the update, you will not be able to roll it back and return to the previous application version. This update is available only for applications with valid license. Managing the Full Disk Encryption (FDE) functionality will remain blocked until installation of the application update is complete. To complete the update installation, you must restart your computer. To complete the update on a computer that has hard drives encrypted using Full Disk Encryption (FDE), you must restart the computer twice. APPLICATION COMPATIBILITY WITH AES ENCRYPTION MODULES AND DETAILS ON UPDATING ENCRYPTION TO VERSION 11.1 Starting with Kaspersky Endpoint Security 10 Service Pack 2, the Encryption module is included in the application distribution package. Separate installation of the encryption module is not required. All libraries required for encryption will are automatically installed in the following cases: 1. When the application is installed, provided that the Full Disk Encryption (FDE) or File Level Encryption (FLE) component is selected. 2. When the application is installed on a computer that already has Kaspersky Endpoint Security for Windows 10 Service Pack 2 or later version installed, provided that the 11.1 distribution package has a corresponding key length. Updating the application is not supported if the effective key length of the distribution package is different from the key length of the distribution package originally used to install the application. 3. When the application is installed on a computer that already has Kaspersky Endpoint Security for Windows 10 Service Pack 2 or earlier version and AES Encryption module installed, provided that the 11.1 update distribution package has a corresponding key length and that the configuration of the update is supported (see below). For automatic update of an installed AES encryption module, use the appropriate distribution package for Kaspersky Endpoint Security 11.1 • keswin_<11.1.0.XXXX>__aes256 – to update an AES encryption module with a 256-bit effective key length • keswin_<11.1.0.XXXX>__aes56 – to update an AES encryption module with a 56-bit effective key length Automatic update of the AES encryption module is supported for the following configurations: Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 2 (build 10.2.4.674) and Encryption module version 1.1.0.73; Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 3 (build 10.2.5.3201) and encryption module version 1.1.0.73; Kaspersky Endpoint Security 10 Service Pack 1 Maintenance Release 4 (build 10.2.6.3733) and encryption module version 1.1.0.73. Other configurations of Kaspersky Endpoint Security and AES encryption modules are not supported, and you must either delete the Encryption Module or update it to version 1.1.0.73 prior to updating Kaspersky Endpoint Security. Before removing or updating the Encryption Module, you must decrypt all hard drives that have been encrypted using Full Disk Encryption (FDE). You will not be able to access the files that were encrypted using File Level Encryption (FLE) after you remove Encryption Module. If you want to install an encryption Module with a different key length, prior to updating the application to version 11.1 you must decrypt all encrypted objects and remove the AES Encryption Module that was used. After installing an encryption Module with a different key length, access to the objects that were encrypted earlier will be lost and cannot be restored. LIST OF BUGS FIXED AND PRIVATE PATCHES INCLUDED IN THE RELEASE To view the list of fixed issues and private patches included in the release, please refer to https://support.kaspersky.com/14968. Support of the following devices has been added for Kaspersky Disk Encryption (FDE) technology: Lenovo Yoga 500-14ISK (80R5) (Legacy BIOS mode). Lenovo Miix 700-12ISK (80QL) (Legacy BIOS mode). HP Z200 Workstation (Legacy BIOS mode). LIMITATIONS AND KNOWN ISSUES To view the list of limitations and known errors, please refer to https://support.kaspersky.com/14967. © 2019 AO Kaspersky Lab. All Rights Reserved.