kl_005 10 1_en_Kaspersky Security fo Win Server

Prévia do material em texto

Kaspersky Technical Training
Kaspersky 
Security for 
Windows Server 
Lab Guide
KL 005.10.1
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Kaspersky Lab 
www.kaspersky.com 
Table of contents 
 
Lab 1. How to prepare the Administration Server ........................................................................................................ 2 
Lab 2. How to install Kaspersky Security 10.1 for Windows Server ......................................................................... 10 
Lab 3. How to install Kaspersky Security 10.1 Console ............................................................................................. 17 
Lab 4. How to configure updates and on-demand scanning ....................................................................................... 22 
Lab 5. How to configure Real-Time Protection .......................................................................................................... 31 
Lab 6. How to test protection of Docker containers ................................................................................................... 37 
Lab 7. How to test protection of Windows Subsystem for Linux ............................................................................... 50 
Lab 8. How protection of server shared folders works ............................................................................................... 54 
Lab 9. How to configure the Anti-Cryptor component ............................................................................................... 60 
Lab 10. How to set Traffic Security to Driver Interceptor mode ................................................................................ 67 
Lab 11. How to configure Traffic Security to scan mail traffic .................................................................................. 79 
Lab 12. How to configure Exploit Prevention ............................................................................................................ 90 
Lab 13. How to enable Applications Launch Control in the test mode ...................................................................... 99 
Lab 14. How to enable Applications Launch Control in the Default Deny mode .................................................... 110 
Lab 15. How to create allow rules for installation packages and updates ................................................................. 117 
Lab 16. How to configure System Inspection components ....................................................................................... 126 
Lab 17. How to configure integration with a SIEM system ...................................................................................... 138 
Lab 18. How to set Traffic Security to the External Proxy mode ............................................................................. 148 
Lab 19. How to protect a NetApp Clustered Data ONTAP 9.3 storage .................................................................... 155 
Lab 20. How to configure Anti-Cryptor for NetApp ................................................................................................ 166 
 
 
 
L–2 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
Lab 1. 
How to prepare the Administration Server 
Scenario. ABC Inc. decided to purchase Kaspersky Security 10.1 for Windows Server to protect its servers. Protection 
products by Kaspersky Lab are already installed on the corporate workstations, and Kaspersky Security Center is used for 
remote management. The administrator is planning to prepare Kaspersky Security Center for the deployment of Kaspersky 
Security 10.1 for Windows Server; he or she will need its distribution, the latest fixes, and a license for this purpose. 
Contents. In this lab, we will: 
1. Unpack the Kaspersky Security 10.1 for Windows Server distribution on the administrator’s workstation 
2. Add a license for Kaspersky Security 10.1 for Windows Server 
3. Create a group for Kaspersky Security 10.1 for Windows Server 
4. Create an installation package for Kaspersky Security 10.1 for Windows Server 
Task A: Unpack the Kaspersky Security 10.1 for Windows Server distribution 
on the administrator’s workstation 
You can use Kaspersky Security Center to manage Kaspersky Security 10.1 for Windows Server, but its installation files are 
not available in Kaspersky Security Center by default. Therefore, we need to get a distribution of Kaspersky Security 10.1 for 
Windows Server to begin with. The easiest way is to download it from the official Kaspersky Lab website. To save time, we 
copied the distribution to the desktop in advance. Also, we copied the latest patch for Kaspersky Security 10.1 for Windows 
Server and the latest versions of plug-in and Administration Console to the administrator’s workstation. 
The task is performed on Alex-Desktop. 
The DC and Security-Center machines must be powered on. 
 
1. Run the ks4ws_10.1.0.622_en.exe file (it is 
located on the desktop) 
2. Click Next 
 
3. Do not change the destination folder 
4. Click Next 
 
 L–3 
Lab 1 
 
 
5. Wait for the installation shell to open 
6. Close the window 
 
7. Open the folder 
C:\ks4ws\10.1.0.622\english\server\ 
8. Delete the file klcfginst.exe 
 
9. Open the folder 
C:\critical_fix_core_11(kb14306) 
10. Copy the following files (CTRL+C): 
— critical_fix_core_11(kb14306)_x64.msp 
— klcfginst.exe 
 
11. Return to the folder 
C:\ks4ws\10.1.0.622\english\server\ 
12. Paste the files (CTRL+V): 
— critical_fix_core_11(kb14306)_x64.msp 
— klcfginst.exe 
 
L–4 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
Task B: Add a license for Kaspersky Security 10.1 for Windows Server 
Kaspersky Security 10.1 for Windows Server requires a license key. 
The task is performed on Alex-Desktop. 
13. Run Kaspersky Security Center Administration Console 
14. Select the Kaspersky Lab Licenses node 
15. Click the button Add activation code or key 
 
 
16. Click the button Activate application with key file 
 
17. Click Browse 
18. Specify the path to the key file (it is located on the desktop) 
19. Select the check box Automatically deploy key to managed 
devices 
20. Click Next 
 
 L–5 
Lab 1 
 
 
21. Click Finish 
22. Make sure that the license has been added successfully 
 
Task C: Create a group for Kaspersky Security 10.1 for Windows Server 
To avoid confusion in Kaspersky Security Center and simplify finding the computers where Kaspersky Security 10.1 for 
Windows Server is installed, we recommend you to create a dedicated group and move computers into it automatically while 
installing Kaspersky Security 10.1 for Windows Server. 
 
L–6 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
The task is performed on Alex-Desktop. 
23. Go to the Managed devices group and open the Devices tab 
24. Click the New group button 
 
 
25. Type KSWS for the group name 
26. Click OK 
27. Make sure that the group has been created successfully 
 
Task D: Create an installation package for Kaspersky Security 10.1 for 
Windows Server 
To be able to remotely install an application through Kaspersky Security Center, you need to prepare its installation package. 
By default, only the Network Agent, Kaspersky Endpoint Security, and sometimes a few Mobile Device Management 
packages are available in Kaspersky Security Center. 
 
 L–7 
Lab 1 
 
The task is performed on Alex-Desktop. 
28. Select the Advanced | Remote installation | Installation packages container 
29. Click the Create installation package button 
 
 
30. Click the top button: Create an installation 
package for Kaspersky Lab application 
 
31. Type Kaspersky Security 10.1 for Windows 
Server for the package name 
32. Click Next 
 
L–8 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server33. Click Browse 
34. Specify the file 
C:\ks4ws\10.1.0.622\english\server\ks4ws.kud 
35. Click Open 
36. Click Next 
 
37. Select the check box the terms and conditions of 
this EULA 
38. Select the check box Privacy Policy describing 
the handling of data 
39. Click Next 
 
40. Wait for the Kaspersky Security 10.1 
Administration Plug-in Setup Wizard to start 
41. Click Next 
 
 L–9 
Lab 1 
 
 
42. Click OK 
 
43. Click Finish 
44. Make sure that the new package has appeared on the list 
 
 
L–10 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
45. Open the properties of the created installation 
package and switch to the Settings section 
46. Look through the list of components 
47. Close the installation package properties 
 
48. Open the Administration Server properties 
49. Switch to the Advanced | Information about the 
installed application management plug-ins 
section and make sure that the plug-in for 
Kaspersky Security 10.1 for Windows Server is 
listed there. Make sure that the plugin version is 
10.1.0.636 rather than 10.1.0.622 
 
Conclusion 
In this lab, we have taken the first steps towards the deployment of Kaspersky Security 10.1 for Windows Server. We 
unpacked the distribution, added the latest patch and a new version of management plug-in, then added a license and created a 
dedicated group on the Administration Server. Also, we added an installation package of Kaspersky Security 10.1 for 
Windows Server to the Administration Server and installed the plug-in of Kaspersky Security 10.1 for Windows Server. 
 
Lab 2. 
How to install Kaspersky Security 10.1 for 
Windows Server 
Scenario. The administrator is preparing for the deployment of Kaspersky Security 10.1 for Windows Server through 
Kaspersky Security Center: He has already installed the management plug-in, created an installation package, and added a 
license. He is to create a remote installation task for Kaspersky Security 10.1 for Windows Server now. The Network Agent is 
not yet installed on all of the servers, and the task should install the Agent along with Kaspersky Security 10.1 for Windows 
Server. Also, the task should automatically move the target computers to the dedicated group. 
 
 L–11 
Lab 2 
 
Contents. In this lab, we will: 
1. Install Kaspersky Security 10.1 for Windows Server through Kaspersky Security Center 
2. Control the installation results 
Task A: Install Kaspersky Security 10.1 for Windows Server through 
Kaspersky Security Center 
We need to create a task that will remotely install Kaspersky Security 10.1 for Windows Server on several computers. The task 
should also install the Network Agent on the computers where it is not yet installed. 
The task is performed on Alex-Desktop. 
The DC, Security-Center, RDS, and Proxy machines must be powered on. 
1. Run Kaspersky Security Center Administration Console 
2. Go to the Tasks node 
3. Click the button Create a task 
 
 
4. Select the Install application remotely task type under 
Kaspersky Security Center 10 Administration Server 
5. Click Next 
 
L–12 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
6. Select Kaspersky Security 10.1 for Windows Server on the list 
7. Click Next 
 
8. Select to install Kaspersky Security Center 10 Network Agent 
9. Click Next 
 
10. Click Next twice 
11. Click Browse to specify the destination group for the target 
computers 
 
 L–13 
Lab 2 
 
 
12. Select the Managed devices | KSWS group 
13. Click OK 
 
14. Click Next 
 
15. Click Select networked devices detected by Administration 
Server 
 
L–14 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
16. Select the target computers: Security-Center, DC, DOCKER, 
RDS, and WSL 
17. Click Next 
 
18. Select the option Account required (for installation without 
Network Agent) 
19. Specify the account under which the products will be installed: 
abc\Administrator, password—Ka5per5Ky 
20. Click Next twice 
 
21. Type Install application remotely – KSWS 10.1 for the task 
name 
22. Click Next 
 
 L–15 
Lab 2 
 
 
23. Select the check box Run task after Wizard finishes 
24. Click Finish to close the wizard 
25. Wait for the task to complete successfully 
 
 
L–16 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
Task B: Control the installation results 
You can control the installation results in a few ways. One of them is the Kaspersky Lab software version report, which 
displays the number of devices protected with Kaspersky Security 10.1 for Windows Server. 
The task is performed on Alex-Desktop. 
26. Go to the KSWS group 
27. Make sure that the Security-Center, DC, RDS, Docker, and WSL computers are there (if not, move them there) 
 
28. Open the Administration Server node and switch to the Reports tab 
29. Double-click Kaspersky Lab software version report 
 
 
 L–17 
Lab 3 
 
30. Make sure that Kaspersky Security 10.1 for Windows Servers is installed on five computers 
 
 
Conclusion 
In this lab, we have studied remote installation of Kaspersky Security 10.1 for Windows Server together with the Network 
Agent. For management convenience, all computers were moved to a dedicated group. The Kaspersky Lab software version 
report helps to control the installation results. 
 
Lab 3. 
How to install Kaspersky Security 10.1 Console 
Scenario. The administrator has installed Kaspersky Security 10.1 for Windows Server through Kaspersky Security Center on 
the servers, and has decided to install Kaspersky Security 10.1 Console as an additional monitoring tool. Also, the 
administrator plans to configure a utility in Kaspersky Security Center to be able to remotely connect through Kaspersky 
Security Console to any Kaspersky Security 10.1 for Windows Server using the computer’s shortcut menu in Kaspersky 
Security Center. 
Contents. In this lab, we will: 
1. Install Kaspersky Security 10.1 Console locally 
2. In Kaspersky Security Center, create a utility that will start Kaspersky Security Console and automatically connect it 
to the selected server 
 
L–18 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
Task A: Install Kaspersky Security 10.1 Console locally 
Kaspersky Security 10.1 for Windows Server does not have a built-in user interface. The Kaspersky Security 10.1 Console 
application performs the interface functions. It is the second most important KSWS management tool after Kaspersky Security 
Center. Even if Kaspersky Security Center is used, we recommend that you install Kaspersky Security Console at least on the 
administrator’s workstation, since it provides additional monitoring capabilities. 
The task is performed on Alex-Desktop. 
The DC, Security-Center, RDS, and Proxy machines must be powered on. 
 
1. Open the folder 
C:\critical_fix_core_1(kb14306)\client_14496_en\ 
2. Run the setup.exe file 
 
3. On the welcome page, click Next 
 
4. Select the check box the terms and conditions 
of this EULA 
5. Select the check box Privacy Policy 
describing the handling of data 
6. Click Next 
 
7. Select the Allow remote access check box 
8. Click Next 
 
 L–19 
Lab 3 
 
 
9. Click Install 
 
10. Wait for the installation to complete 
11. Click OK 
Task B: In Kaspersky Security Center, create a utility that will start 
Kaspersky Security Console and automatically connect to the selected 
server 
In this task, you will create a utility in Kaspersky Security Center to be able to automatically connect through the Kaspersky 
Security Console to any Kaspersky Security 10.1 for Windows Server using the computer’s shortcut menu. 
The task is performed on Alex-Desktop. 
12. Go to the KSWS subgroup and switch to the Devices tab 
13. On the shortcut menu of the Security-Center computer, click Custom tools | Configure custom tools 
 
 
L–20 KASPERSKY LAB™ 
KL005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
14. Click Add 
15. Type KSWS in the Tool name field 
16. Specify the path in the Executable file name field: 
%WINDIR%\system32\mmc.exe 
17. In the Working directory box, specify the following path: 
%ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Security 10.1 for Windows Server Admins Tools\ 
18. In the Command line box, type: 
kavfs.msc /avserver:<host_winname> 
19. Click OK 
 
 
20. Click OK again 
 
 L–21 
Lab 3 
 
21. On the shortcut menu of the Security-Center computer, click Custom tools | KSWS 
 
22. Make sure that the Kaspersky Security 10.1 Console starts and automatically connects to the target server 
 
 
Conclusion 
In this lab, we have installed Kaspersky Security 10.1 Console on the administrator’s workstation. Also, we’ve created a utility 
in Kaspersky Security Center that enables the administrator to connect to the necessary server through Kaspersky Security 10.1 
Console in a single click. 
 
L–22 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
Lab 4. 
How to configure updates and on-demand 
scanning 
Scenario. The administrator has installed Kaspersky Security 10.1 for Windows Server through Kaspersky Security Center on 
the servers, and needs to configure remote management through group tasks and policies now. The administrator is to 
configure centralized updates for the databases and modules of Kaspersky Security 10.1 for Windows Server, and create group 
on-demand scan tasks to begin with. 
Contents. In this lab, we will: 
1. Complete the Managed Application Quick Start Wizard 
2. Create a module update task 
3. Create a full scan task for servers 
Task A: Complete the Managed Application Quick Start Wizard 
After the plug-in of Kaspersky Security 10.1 for Windows Server is installed, a new wizard appears in Kaspersky Security 
Center Administration Console: Managed Application Quick Start Wizard. You can start it from the shortcut menu of 
the Administration Server. The wizard creates a policy and tasks for Kaspersky Security 10.1 for Windows Server. 
The task is performed on Alex-Desktop. 
The DC and Security-Center machines must be powered on. 
1. On the shortcut menu of the Administration Server node, click All Tasks | Managed Application Quick Start Wizard 
 
 
 L–23 
Lab 4 
 
 
2. Click Next 
 
3. Select Kaspersky Security 10.1 for 
Windows Server 
4. Click Next 
 
5. Click Finish 
6. Open the Managed devices node and switch to the Tasks tab 
 
L–24 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
7. Make sure that two tasks of Kaspersky Security 10.1 for Windows Server have appeared there: 
— Quick Scan task for Windows Server 
— Update task for Windows Server 
 
 
8. Open the properties of the Update task for 
Windows Server 
9. Change its name to Database update – 
KSWS 10.1 
10. Switch to the Schedule section 
 
11. Make sure that the check box Run by 
schedule is selected 
12. Make sure that Frequency is set to After 
Administration Server has retrieved 
updates 
13. Click OK 
 
 L–25 
Lab 4 
 
14. Open the properties of the Quick Scan task for Windows Server 
 
 
15. Change its name to Critical Areas Scan – 
KSWS 10.1 
16. Switch to the Schedule section 
 
17. Select the check box Run by schedule 
18. Make the task start Daily, every 1 day at 
00:00 
19. Click OK 
 
L–26 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
Task B: Create a module update task 
In this task, we will create a task that will update the modules of Kaspersky Security 10.1 for Windows Server. 
The task is performed on Alex-Desktop. 
 
20. Click the button Create a task 
21. Under Kaspersky Security 10.1 for Windows Server, select 
the Software Modules Update task 
22. Click Next twice 
 
23. Leave the update source unchanged 
24. Click Next 
 
 L–27 
Lab 4 
 
 
25. Leave the update settings unchanged 
26. Click Next 
 
27. Select the check box Run by schedule 
28. Make sure that Frequency is set to After Administration 
Server has retrieved updates 
29. Click Next twice 
 
30. Type Software Modules Update – KSWS 10.1 for the task 
name 
31. Click Next 
 
L–28 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
32. Click Finish 
 
Task C: Create a full scan task for servers 
In this task, you will create a full scan task for Kaspersky Security 10.1 for Windows Server. 
 
 L–29 
Lab 4 
 
The task is performed on Alex-Desktop. 
 
33. Click the button Create a task 
34. Under Kaspersky Security 10.1 for Windows Server, select 
the On-Demand Scan task 
35. Click Next twice 
 
36. Delete all scan areas 
37. Add the My Computer scan area 
38. Click Next 
 
39. Clear the check box Consider task as critical areas scan 
40. Click Next 
 
L–30 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
41. Select the check box Run by schedule 
42. Configure the task to start Weekly, every Friday at 00:00 
43. Click Next twice 
 
44. Type Full Scan – KSWS 10.1 for the task name 
45. Click Next 
 
46. Click Finish 
 
 L–31 
Lab 5 
 
 
Conclusion 
By default, Kaspersky Security 10.1 for Windows Server is not managed centrally, and policies and tasks need to be created 
manually. In this lab, we’ve organized centralized updates for Kaspersky Security 10.1 for Windows Server databases and 
modules, and created tasks that will periodically scan critical areas and all local drives of the servers. 
 
Lab 5. 
How to configure Real-Time Protection 
Scenario. The administrator has installed Kaspersky Security 10.1 for Windows Server through Kaspersky Security Center on 
the servers, configured centralized updates for Kaspersky Security 10.1 for Windows Server databases and modules, and 
created group on-demand scan tasks. To complete the deployment, the administrator is to configure real-time protection in the 
policy of Kaspersky Security 10.1 for Windows Server. 
Contents. In this lab, we will: 
1. Configure a notification about module updates 
2. Enable Kaspersky Security Network 
3. Make sure that the KSN task is running 
 
L–32 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
Task A: Configure a notification about module updates 
In this task, you will configure notifications about module updates available for Kaspersky Security 10.1 for Windows Server. 
The best choice is e-mail notification. 
The task is performed on Alex-Desktop. 
The DC and Security-Center machines must be powered on. 
1. Open the Managed devices node and switch to the Policies tab 
2. Make sure that it contains the policy Kaspersky Security 10.1 for Windows Server 
3. Open the properties of the Kaspersky Security 10.1 for Windows Server policy 
 
 
4. Open the Event configuration section and 
switch to the Warning tab 
 
 L–33 
Lab 5 
 
 
5. Select the following event types: 
— New scheduled software modules 
update is available 
— New critical software modules update 
is available 
6. Click the Properties button 
 
7. Select the Notify by email check box 
8. Click OK 
 
9. Make sure that the envelope icons have 
appeared next to the events 
 
L–34 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
Task B: Enable Kaspersky Security Network 
In this task, you will enable Kaspersky Security Network in the policy of Kaspersky Security 10.1 for Windows Server. 
The task is performed on Alex-Desktop. 
 
10. Switch to the Real-time server protection 
section 
11. In the KSN Usage area, click Data 
processing 
 
12. Select the check box Accept the terms of 
the Kaspersky Security Network 
Statement 
13. Click OK 
 
14. In the KSN Usage area, click Settings 
 
 L–35 
Lab 5 
 
 
15. Switch to the Task Management tab 
16. Select the check box Run by schedule 
17. Make surethat Frequency is set to At 
application launch 
18. Click OK 
 
19. Close the lock in the KSN Usage area 
20. Click OK 
21. Wait for the policy to be enforced 
 
 
 
L–36 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
Task C: Make sure that the KSN task is running 
In this task, we will make sure that the KSN task has started. 
The task is performed on WSL. 
22. Press CTRL+ALT+INS 
 
23. Enter the password Ka5per5Ky 
24. Press ENTER 
 
25. Wait for the command line interface to open 
26. Select the installation folder of Kaspersky Security 10.1 for Windows Server 
cd c:\Program Files (x86)\Kaspersky Lab\Kaspersky Security 10.1 for Windows Server\ 
 
 
 L–37 
Lab 6 
 
27. Carry out 
kavshell.exe task 
28. Make sure that the ksn-service task is Running 
 
Conclusion 
In this lab, we have configured the policy of Kaspersky Security 10.1 for Windows Server. Some of the components do not 
start automatically by default. For instance, to start the KSN Usage task, you must accept the KSN Statement. We made the 
necessary changes to the policy; as soon as it was enforced, the new settings were applied to all servers, and the KSN Usage 
task started automatically. 
Lab 6. 
How to test protection of Docker containers 
Scenario. Docker is an application container technology. Windows Server operating systems support Docker containers since 
version 2016. Each container is created from an image and consists of the operating system, user’s files, and metadata. 
Kaspersky Security 10.1 for Windows Server can detect malicious files in Docker containers. The administrator is to deploy a 
Windows Server Core container, try to copy a malicious file into the container, and make sure that Kaspersky Security 10.1 for 
Windows Server detects and deletes it. 
Contents. In this lab, we will: 
1. Configure the Real-Time File Protection task 
2. Test protection of Docker containers without accessing a malicious file 
3. Test protection of Docker containers when a malicious file is accessed 
 
L–38 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
Task A: Configure the Real-Time File Protection task 
In this task, you will copy eicar.com to the Docker computer. For this purpose, first of all, exclude the destination folder from 
Real-Time Protection in Kaspersky Security 10.1 for Windows Server. 
The task is performed first on Alex-Desktop, and then on Docker. 
The DC and Security-Center machines must be powered on. 
1. Open the Managed devices node and switch to the Policies tab 
2. Open the properties of the Kaspersky Security 10.1 for Windows Server policy 
 
 
3. Switch to the Real-Time Server Protection 
section 
4. In the Real-Time File Protection area, click 
Settings 
 
 L–39 
Lab 6 
 
 
5. Switch to the Protection scope tab 
6. Click Add 
 
7. Add the folder C:\Temp\ 
8. Click OK 
 
9. Deselect the folder C:\Temp\ 
10. Click OK twice 
 
L–40 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
11. Wait for the policy to be enforced 
 
 
12. Open the shared folder \\Docker\c$\Temp\ 
 
13. Copy the eicar.com file into it (the file is 
located on the desktop, in the Eicar folder) 
Task B: Test protection of Docker containers without accessing a malicious 
file 
In this task, we will deploy a Windows Server Core container and try to copy a malicious file into it. 
The task is performed on Docker. 
14. Run PowerShell as administrator 
 
 L–41 
Lab 6 
 
15. Carry out the following command: 
docker run -it -v c:\temp:c:\temp --name container_1 microsoft/windowsservercore 
 
16. Wait for Docker to create container_1 
17. Carry out the following commands: 
cd c:\temp 
dir 
18. Make sure that the eicar.com file is still there 
 
19. Copy the eicar.com file to the root of drive C:\ 
copy eicar.com c:\ 
20. Carry out the following commands: 
cd c:\ 
dir 
21. Make sure that the eicar.com file is missing from the root of drive C:\ (The file has been deleted) 
 
 
L–42 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
22. Carry out the following commands: 
exit 
docker ps -a 
23. Notice the value of CONTAINER ID 
 
Switch to the Alex-Desktop machine. 
24. Return to Kaspersky Security Center Administration Console 
25. Open the KSWS group and switch to the Devices tab 
26. On the shortcut menu of the Docker computer, click Custom tools | KSWS 
 
 
 L–43 
Lab 6 
 
27. In the Server protection area, next to Detected, click the figure “1” (the actual number may differ) 
 
 
28. Switch to the Events tab 
29. Consult the detection events 
30. Make sure that the detected object is 
named [ID of Container_1]\eicar.com 
 
Task C: Test protection of Docker containers when a malicious file is 
accessed 
In this task, we will deploy another Windows Server Core container and try to copy a malicious file into it. 
 
L–44 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
The task is performed first on Alex-Desktop, and then on Docker. 
31. Open the Managed devices node and switch to the Policies tab 
32. Open the properties of the Kaspersky Security 10.1 for Windows Server policy 
 
 
33. Switch to the Real-time server protection 
section 
34. In the Real-Time File Protection area, click 
Settings 
 
35. Switch to the Task management tab 
36. Clear the check box Run by schedule 
37. Click OK twice 
 
 L–45 
Lab 6 
 
38. Wait for the policy to be enforced 
 
Switch to the Docker computer. 
39. Run PowerShell as administrator 
40. Carry out the following command: 
docker run -it -v c:\temp:c:\temp --name container_2 microsoft/windowsservercore 
 
41. Wait for Docker to create container_2 
42. Carry out the following commands: 
cd c:\temp 
dir 
43. Make sure that the eicar.com file is still there 
 
 
L–46 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
44. Copy the eicar.com file to the root of drive C:\ 
copy eicar.com c:\ 
45. Carry out the following commands: 
cd c:\ 
dir 
46. Make sure that the eicar.com file is located in the root directory of drive C:\ 
 
Switch to the Alex-Desktop machine. 
 
47. Open the properties of the Kaspersky Security 
10.1 for Windows Server policy 
48. Switch to the Real-time server protection 
section 
49. In the Real-Time File Protection area, click 
Settings 
 
 L–47 
Lab 6 
 
 
50. Switch to the Task management tab 
51. Select the check box Run by schedule 
52. Click OK twice 
53. Wait for the policy to be enforced 
 
 
L–48 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
Switch to the Docker computer. 
54. Carry out the following command: 
type eicar.com 
55. Make sure that access is denied 
 
56. Carry out the following commands: 
exit 
docker ps -a 
57. Notice the values of CONTAINER ID 
 
 
 L–49 
Lab 6 
 
Switch to the Alex-Desktop machine. 
58. Return to Kaspersky Security Center Administration Console 
59. Open the Administration Server node and switch to the Events tab 
60. Click Run selection 
61. Make sure that four events from the Docker computer have appeared in Kaspersky Security Center 
 
 
62. Open the Infected or other object detected 
event 
63. Make sure that the detected object is named [ID 
of Container_2]\eicar.com 
64. Click Close 
 
Conclusion 
In this lab, we have made sure that Kaspersky Security 10.1 for Windows Server can detect malicious files within Docker 
containers. The Real-Time Protection task takes care of that, no additional configuring is necessary. 
 
L–50 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
Lab 7. 
How to test protection of Windows Subsystem 
for Linux 
Scenario. Kaspersky Security 10.1 for Windows Server supports Windows Subsystem for Linux: It is a compatibility layer for 
running Linux applicationsin the latest versions of Microsoft Windows. In our environment, Windows Subsystem for Linux is 
based on Ubuntu Server 14.04. The administrator is to start a test malicious file in Windows Subsystem for Linux and make 
sure that Kaspersky Security 10.1 for Windows Server detects and deletes it. 
Contents. In this lab, we will make sure that Kaspersky Security 10.1 for Windows Server can detect malicious files that run 
within Windows Subsystem for Linux. 
Task A: Make sure that Kaspersky Security 10.1 for Windows Server can 
detect malicious files that run within Windows Subsystem for Linux 
In this task, we will try to compile malicious code from Windows Subsystem for Linux that is running under Windows Server 
2016. 
The task is performed first on Alex-Desktop, and then on WSL. 
The DC and Security-Center machines must be powered on. 
 
1. Open the \\WSL\c$\Test\ shared folder 
 
2. Copy the eicar_drop_kl_edu.cpp file into it 
(the file is located on the desktop, in the 
Eicar folder) 
Switch to the WSL machine 
 
3. Press CTRL+ALT+INS 
 
4. Enter the password Ka5per5Ky 
5. Press ENTER 
 
 L–51 
Lab 7 
 
6. Wait for the command line interface to open 
7. Carry out 
powershell 
 
8. Carry out 
wsl 
 
9. Carry out 
cp /mnt/c/Test/eicar_drop_kl_edu.cpp /tmp/ 
 
10. Carry out 
cd /tmp/ 
 
11. Carry out 
g++ eicar_drop_kl_edu.cpp -o eicar_dropper 
 
 
L–52 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
12. Carry out 
./eicar_dropper 
13. Make sure that Kaspersky Security 10.1 for Windows Server shows a message that the malicious file has been blocked and 
deleted 
 
Switch to the Alex-Desktop machine. 
14. Return to the Kaspersky Security Center Administration Console 
15. Open the Administration Server node and switch to the Events tab 
16. Click Run selection 
17. Make sure that four events from the WSL computer have appeared in Kaspersky Security Center 
 
 
 L–53 
Lab 7 
 
18. On the shortcut menu of the Infected or other object detected event, click Go to device 
 
19. On the shortcut menu of the WSL computer, click Custom tools | KSWS 
 
 
L–54 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
20. In the Server protection area, next to Detected, click the figure “1” (the actual number may differ) 
 
 
21. Switch to the Events tab 
22. Consult the detection events 
23. Click Close 
Conclusion 
In this lab, we have made sure that Kaspersky Security 10.1 for Windows Server can detect malicious files that run within 
Windows Subsystem for Linux. The Real-Time Protection task takes care of that, no additional configuring is necessary. 
Lab 8. 
How protection of server shared folders works 
Scenario. The administrator remotely connects from his workstation to a shared folder on a server where Kaspersky Security 
10.1 for Windows Server is installed. The folder is shared with Write permissions, and the administrator tries to copy the 
eicar.com file into it. Copying starts, but the connection is terminated after a while. Another attempt to connect to the shared 
folder fails. The administrator opens Kaspersky Security Center and finds a recent event informing that his computer is now 
listed among untrusted hosts. After that, the administrator manually deletes the computer from the list of untrusted hosts and 
makes sure that the network folder is accessible again. 
 
 L–55 
Lab 8 
 
Contents. In this lab, we will make sure that Kaspersky Security 10.1 for Windows Server can block remote computers from 
which malicious activities have been attempted. 
Task A: Make sure that Kaspersky Security 10.1 for Windows Server can 
block remote computers 
In this task, we will imitate copying a malicious file to a shared folder on the server where Kaspersky Security 10.1 for 
Windows Server is running. 
The task is performed on Alex-Desktop. 
The DC and Security-Center machines must be powered on. 
1. Open the Managed devices node and switch to the Policies tab 
2. Open the properties of the Kaspersky Security 10.1 for Windows Server policy 
 
 
3. Switch to the Real-Time Server Protection 
section 
4. In the Real-Time File Protection area, click 
Settings 
 
L–56 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
5. Select the check box List hosts showing 
malicious activity as untrusted 
6. Click OK twice 
7. Wait for the policy to be enforced 
 
 
8. Open the shared folder \\10.28.0.20\Test\ 
 
 L–57 
Lab 8 
 
 
9. Copy the eicar.com file into it (the file is 
located on the desktop, in the Eicar folder) 
 
10. Wait for the connection to be terminated 
 
11. Try to open \\10.28.0.20\Test\ shared folder 
again 
12. Make sure that the connection cannot be 
established 
13. Click Close 
14. Return to Kaspersky Security Center Administration Console 
15. Open the Administration Server node and switch to the Events tab 
16. Click Run selection 
17. Find the event Host listed as untrusted 
 
 
L–58 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
18. Open the event and read its description 
19. Click Close 
20. On the shortcut menu of the Host listed as untrusted event, click Device Properties 
 
 
21. Switch to the Applications section 
22. Select Kaspersky Security 10.1 for 
Windows Server 
23. Click the Properties button 
 
 L–59 
Lab 8 
 
 
24. Switch to the Supplementary section 
25. In the Storages area, click Settings 
 
26. Switch to the Blocked host storage tab 
27. Click Blocked host list 
 
28. Select the Alex-Desktop computer 
29. Click Clear entire list 
 
30. Click Close 
 
L–60 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
31. Close all windows 
32. Try to open \\10.28.0.20\Test\ shared folder 
again 
33. Make sure that the connection has been 
established 
Conclusion 
In this lab, we tested protection of shared folders on a server and made sure that Kaspersky Security 10.1 for Windows Server 
can block remote computers that attempt malicious activities. 
Lab 9. 
How to configure the Anti-Cryptor component 
Scenario. The administrator has decided to test protection of shared folders against remote encryption and connects from a 
workstation to a shared folder on a server where Kaspersky Security 10.1 for Windows Server is installed. The network folder 
contains files and is shared with Write permissions. The administrator tries to encrypt text files over the network using an 
encryption utility installed on his workstation. As soon as the encryption process starts, the connection is terminated. Another 
attempt to connect to the shared folder fails. The administrator opens Kaspersky Security Center and finds a recent event 
informing that his computer is now listed among untrusted hosts. After that, the administrator manually deletes the computer 
from the list of untrusted hosts and makes sure that the network folder is accessible again. 
Contents. In this lab, we will: 
1. Enable the Anti-Cryptor component 
2. Make sure that the Anti-Cryptor task can detect encryption activities 
Task A: Enable the Anti-Cryptor component 
In this task, you will enable the Anti-Cryptor component. 
file://///10.28.0.20/Test/
 
 L–61 
Lab 9 
 
The task is performed on Alex-Desktop. 
The DC and Security-Center machines must be powered on. 
1. Open the Managed devices node and switch to the Policies tab 
2. Open the properties of the Kaspersky Security 10.1 for Windows Server policy 
 
 
3. Switch to the Network activity control 
section 
4. In the Anti-Cryptor area, click Settings 
 
5. Switch to the Task management tab 
6. Select the check box Run by schedule 
7. Make sure that Frequency is set to At 
application launch 
8. Click OK 
 
L–62 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
9. Close the lock in the Anti-Cryptor area 
10.Click OK 
11. Wait for the policy to be enforced 
 
Task B: Make sure that the Anti-Cryptor task can detect encryption activities 
In this task, we will try to remotely encrypt text files in a shared folder on a server where Kaspersky Security 10.1 for 
Windows Server is running. 
 
 L–63 
Lab 9 
 
The task is performed on Alex-Desktop. 
 
12. Open the shared folder \\10.28.0.20\Test\ 
 
13. Select all files (CTRL+A) 
14. Right-click them and select AES Encrypt on 
the shortcut menu 
 
15. Type the password: 123 
16. Click OK 
 
17. Make sure that the connection gets disrupted 
instantly 
 
18. Try to open the shared folder 
\\10.28.0.20\Test\Docs\ again 
19. Make sure that the connection cannot be 
established 
20. Click Close 
 
L–64 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
21. Return to Kaspersky Security Center Administration Console 
22. Open the Administration Server node and switch to the Events tab 
23. Click Run selection 
24. On the shortcut menu of the recent event Host listed as untrusted, click Go to device 
 
25. On the shortcut menu of the Security-Center computer, click Custom tools | KSWS 
 
 
 L–65 
Lab 9 
 
26. In the Control area, next to Malicious encrypting attempts detected, click the figure “9” (the actual number may differ) 
 
 
27. Switch to the Events tab 
28. Open the highest event 
 
29. Read the description 
30. Click OK 
31. Click Close 
 
L–66 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
32. Go to the Storages | Blocked Host Storage container 
33. Select computer 10.28.0.20 (Alex-Desktop) 
34. Click the link Unblock selected 
 
35. Make sure that computer 10.28.0.20 (Alex-Desktop) has disappeared from the list 
 
 
36. Try to open the shared folder 
\\10.28.0.20\Test\Docs\ again 
37. Make sure that the connection has been 
established 
 
Conclusion 
In this lab, we’ve tested the Anti-Cryptor component, which can detect encryption activities and add the attacking computer to 
the list of untrusted hosts. Kaspersky Security 10.1 for Windows Server checks this list and blocks the respective computer. 
file://///10.28.0.20/Test/
 
 L–67 
Lab 10 
 
Lab 10. 
How to set Traffic Security to Driver Interceptor 
mode 
Scenario. A new component has appeared in Kaspersky Security 10.1 for Windows Server: Traffic Security, which permits 
scanning web and mail traffic. The component operates in several modes and is designed mainly to protect servers that provide 
users with Remote Desktop Services. Driver Interceptor is a Traffic Security mode where a special driver intercepts traffic. 
The administrator is to enable the Traffic Security component, then make sure that notifications for terminal users are also 
enabled, and test how Kaspersky Security 10.1 for Windows Server blocks unwanted websites. 
Contents. In this lab, we will: 
1. Enable notifications for terminal users 
2. Enable the Traffic Security component 
3. Verify that unwanted websites are blocked 
4. Verify that Tor networks are blocked 
Task A: Enable notifications for terminal users 
In this task, we will learn how to configure notifications for terminal users in the policy. 
The task is performed on Alex-Desktop. 
The DC, Security-Center, and RDS machines must be powered on. 
1. Open the Managed devices node and switch to the Policies tab 
2. Open the properties of the Kaspersky Security 10.1 for Windows Server policy 
 
 
L–68 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
3. Switch to the Logs and notifications 
section 
4. In the Event notifications area, click 
Settings 
 
5. Select the Object detected event type 
6. Make sure that the Notify users: 
By using terminal service check box is 
selected 
7. Click OK 
 
8. Close the lock in the Event notifications 
area 
9. Click OK 
 
 L–69 
Lab 10 
 
Task B: Enable the Traffic Security component 
In this task, we will enable the Traffic Security component and switch it to the Driver Interceptor mode. 
The task is performed on Alex-Desktop. 
 
10. Switch to the Real-time server 
protection section 
11. In the Traffic Security area, click 
Settings 
 
12. Change the Task mode to Driver 
Interceptor 
13. Click OK 
 
14. Switch to the Task management tab 
15. Select the check box Run by schedule 
16. Make sure that Frequency is set to At 
application launch 
17. Click OK 
 
L–70 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
18. Close the lock in the Traffic Security area 
19. Click OK 
20. Wait for the policy to be enforced 
 
 
 L–71 
Lab 10 
 
Task C: Verify that unwanted websites are blocked 
In this task, we will prohibit access to websites that belong to the “Social networks” category. 
The task is performed on Alex-Desktop. 
21. Start Internet Explorer 
22. Type https://rds.abc.lab/rdweb in the address bar 
23. Press ENTER 
24. Click the link Go on to the webpage (not recommended) 
 
25. Type the abc\Alex username and Ka5per5Ky password 
26. Click Sign in 
 
 
L–72 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
27. Click the Google Chrome icon 
 
 
28. Click Connect 
29. In the address bar, type https://www.facebook.com 
30. Press ENTER 
31. Make sure that the page opens 
 
 
 L–73 
Lab 10 
 
32. Return to Kaspersky Security Center Administration Console 
33. Open the properties of the Kaspersky Security 10.1 for Windows Server policy 
 
 
34. Switch to the Real-time server protection 
section 
35. In the Traffic Security area, click Rules list 
 
36. Switch to the Categorization tab 
37. Select the check box Apply rules for web 
traffic category control 
38. Find the Social networks category in the list 
and deselect it 
39. Click OK twice 
 
L–74 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
40. Wait for the policy to be enforced 
 
41. Return to the Google Chrome browser 
42. Try to open https://www.facebook.com once again 
43. Make sure that the page has been blocked 
 
Task D: Verify that Tor networks are blocked 
In this task, we will make sure that access to Tor networks is prohibited by default. 
The task is performed first on Alex-Desktop, and then on RDS. 
44. Return to Kaspersky Security Center Administration Console 
 
 L–75 
Lab 10 
 
45. Open the properties of the Kaspersky Security 10.1 for Windows Server policy 
 
 
46. Switch to the Real-time server protection 
section 
47. In the Traffic Security area, click Rules list 
 
48. Note that the list contains a rule that prohibits 
Tor certificates. The rule is enabled by 
default 
49. Click OK twice 
 
L–76 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
Switch to the RDS computer. 
 
50. Log on to the system under the abc\Alex 
account with the password Ka5per5Ky 
51. Open the C:\Temp\ folder 
52. Start the installer of the Tor browser 
 
53. Click OK 
 
54. Click Install 
 
55. Click Finish 
 
56. Click Connect 
 
 L–77 
Lab 10 
 
 
57. Make sure that the browser cannot connect to 
the Tor network 
Switch to the Alex-Desktop machine. 
58. Return to Kaspersky Security Center Administration Console 
59. Open the KSWS group and switch to the Devices tab 
60. On the shortcut menu of the RDS computer, click Custom tools | KSWS 
 
 
L–78 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
61. In the Server protection area, next to Certificates blocked, click the figure “7” (the actual number may differ) 
 
 
62. Switch to the Events tab 
63. Consult the detection events 
64. Open the latest event 
 
65. Read the event description 
66. Close all windows 
Conclusion 
In this lab, you have learned how to enable the Traffic Security component and switch it to the Driver Interceptor mode. Also, 
we demonstratedthat Kaspersky Security 10.1 for Windows Server can block unwanted websites and limit access to Tor 
networks. 
 
 L–79 
Lab 11 
 
Lab 11. 
How to configure Traffic Security to scan mail 
traffic 
Scenario. The Traffic Security component can process not only web traffic, but also email. Kaspersky Security 10.1 for 
Windows Server can scan Microsoft Outlook 2010/2013/2016 messages using a special plug-in, which is to be installed 
additionally. The administrator is to install Kaspersky Security 10.1 Add-in for Microsoft Outlook using Kaspersky Security 
Center, connect to the terminal server where Microsoft Outlook 2013 is published, send a message with a malicious file and a 
phishing link, and check how Kaspersky Security 10.1 for Windows Server will process undesired objects. 
Contents. In this lab, we will: 
1. Install Kaspersky Security 10.1 Add-in for Microsoft Outlook 
2. Enable mail threat protection 
3. Verify that Kaspersky Security 10.1 for Windows Server intercepts mail traffic 
Task A: Install Kaspersky Security 10.1 Add-in for Microsoft Outlook 
In this task, we will install Kaspersky Security 10.1 Add-in for Microsoft Outlook using the remote installation task. 
The task is performed on Alex-Desktop. 
The DC, Security-Center, and RDS machines must be powered on. 
1. Return to Kaspersky Security Center Administration Console 
2. Select the Advanced | Remote installation | Installation packages container 
3. Click the Create installation package button 
 
 
L–80 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
4. Click the middle button: Create an installation 
package for specified executable file 
 
5. Type KSWS 10.1 Microsoft Outlook Add-in 
for the package name 
6. Click Next 
 
7. Click Browse 
8. Select the file 
C:\ks4ws\10.1.0.622\english\email_plugin\ksmail_x64.msi 
9. Click Open 
10. In the box Executable file command line 
(optional), type EULA=1 PRIVACYPOLICY=1 
11. Click Next 
 
 L–81 
Lab 11 
 
 
12. Click Finish 
13. Make sure that the new package has appeared on the list 
14. On the shortcut menu of the new package, click Install application 
 
 
L–82 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
15. Click the button Select devices for installation 
 
16. Select the RDS computer 
17. Click Next five times 
 
18. Click Finish 
 
 L–83 
Lab 11 
 
19. Wait for the task to complete successfully 
 
Task B: Enable mail threat protection 
In this task, you will make sure that mail protection is enabled by default. 
The task is performed on Alex-Desktop. 
20. Open the Managed devices node and switch to the Policies tab 
21. Open the properties of the Kaspersky Security 10.1 for Windows Server policy 
 
 
L–84 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
22. Switch to the Real-time server 
protection section 
23. In the Traffic Security area, click 
Settings 
 
24. Switch to the Mail threat protection 
tab 
25. Make sure that the Enable mail threat 
protection check box is selected 
26. Click OK twice 
Task C: Verify that Kaspersky Security 10.1 for Windows Server intercepts 
mail traffic 
In this task, we will check how Kaspersky Security 10.1 for Windows Server intercepts mail traffic. 
The task is performed on Alex-Desktop. 
27. Start Internet Explorer 
28. Type https://rds.abc.lab/rdweb in the address bar 
29. Press ENTER 
 
 L–85 
Lab 11 
 
30. Click the link Go on to the webpage (not recommended) 
 
31. Type the abc\Alex username and Ka5per5Ky password 
32. Click Sign in 
 
33. Click the Outlook 2013 icon 
 
 
L–86 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
34. Click Connect 
 
35. Click Next 
 
36. Click Next 
 
37. Specify the following parameters: 
— Your Name—Alex 
— E-mail Address—alex@abc.lab 
— Password—Ka5per5Ky 
38. Click Next twice 
mailto:alex@abc.lab
 
 L–87 
Lab 11 
 
 
39. Click Finish 
 
40. Click Accept 
41. Click FILE 
42. Click Options 
 
 
L–88 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
43. Switch to the Add-Ins section 
44. Make sure that Kaspersky Security 
Outlook Addin is present in the list 
45. Click OK 
46. Run PowerShell as administrator 
47. Carry out the following commands: 
cd C:\Test\ 
.\mailsend.exe -smtp 10.28.0.10 -f hacker@gmail.com -t alex@abc.lab 
-sub Hello -attach C:\Test\eicar_txt.rar 
 
48. Return to the mail client and open the message that has arrived 
49. Make sure that you are informed about the detected malicious object 
50. Click OK 
 
 
 L–89 
Lab 11 
 
51. Note that eicar_txt.rar has been renamed to eicar_txt.rar.htm 
 
52. Return to PowerShell 
53. Carry out the following command: 
.\mailsend.exe -smtp 10.28.0.10 -f hacker@gmail.com -t alex@abc.lab 
-sub Hello 
54. Type the following string: 
http://www.kaspersky.com/test/aphish_w/1 
55. Press ENTER 
56. Type one dot “.” 
57. Press ENTER 
 
 
L–90 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
58. Return to the mail client and open the message that has arrived 
59. Make sure that the test phishing link has been blocked 
 
Conclusion 
In this lab, we have demonstrated how to install Kaspersky Security 10.1 Add-in for Microsoft Outlook using Kaspersky 
Security Center and how Traffic Security scans messages for malicious objects and phishing links. 
 
Lab 12. 
How to configure Exploit Prevention 
Scenario. A new component has appeared in Kaspersky Security 10.1 for Windows Server: Exploit Prevention, which protects 
processes against malicious code intrusions. The component is implemented as a service. When it detects an attempt to intrude 
into a protected process, it can either stop it or notify the administrator. The administrator is to enable the Exploit Prevention 
component and add a new process to the list of protected processes, connect to the terminal server where Microsoft Word is 
published, try to open a file with an exploit and make sure that Kaspersky Security 10.1 for Windows Server will react to the 
malicious activity and stop the process. 
Contents. In this lab, we will: 
1. Enable protection against exploits 
2. Make sure that protection against exploits works correctly 
 
 L–91 
Lab 12 
 
Task A: Enable protection against exploits 
In this task, you will enable the Exploit Prevention component and add a new process to the list of protected processes. 
The task is performed on Alex-Desktop. 
The DC and Security-Center machines must be powered on. 
1. Open the Managed devices node and switch to the Policies tab 
2. Open the properties of the Kaspersky Security 10.1 for Windows Server policy 
 
 
3. Switch to the Real-time server 
protection section 
4. In the Exploit Prevention area, click 
Settings 
 
L–92 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
5. Select the check box Prevent vulnerable 
processes exploit 
6. Switch the mode to Terminate on 
exploit 
7. Open the Protected processes tab 
8. Click Browse 
9. Specify the following path to the process: 
\\RDS\c$\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 
10. Click Add 
 
file://///RDS/c$/Program%20Files/Common%20Files/Microsoft%20Shared/EQUATION/EQNEDT32.EXE
 
 L–93 
Lab 12 
 
 
11. Scroll the list of processes down 
12. Make sure that the EQNEDT32.EXE 
process has appeared on the list 
13. Click OK 
 
14. Close the lock in the Exploit Prevention 
area 
15. Click OK 
 
16. In the Real-Time File Protection area, 
click Settings 
 
L–94 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
17. Switch to the Task management tab 
18. Clear the check box Run by schedule 
19. Click OK twice 
20. Wait for the policy to be enforced 
 
Task B: Make sure that protection against exploits works correctlyIn this task, we will try to run an exploit in a terminal session and make sure that Kaspersky Security 10.1 for Windows Server 
will react to it. 
The task is performed on Alex-Desktop. 
21. Start Internet Explorer 
22. Type https://rds.abc.lab/rdweb in the address bar 
23. Press ENTER 
 
 L–95 
Lab 12 
 
24. Click the link Go on to the webpage (not recommended) 
 
25. Type the abc\Alex username and Ka5per5Ky password 
26. Click Sign in 
 
27. Click the Word 2013 icon 
 
 
L–96 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
28. Click Connect 
29. Click the link Open Other Documents 
 
30. Select Computer 
31. Click the button Browse 
 
 
 L–97 
Lab 12 
 
 
32. Specify the path to the file: 
C:\Temp\CVE-2017-11882\ridter_cmd_1.doc 
33. Click Open 
 
34. Make sure that a message informing of a 
detected exploit attempt has appeared 
35. Click OK 
36. Return to Kaspersky Security Center Administration Console 
37. Open the properties of the Kaspersky Security 10.1 for Windows Server policy 
 
 
L–98 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
38. In the Real-Time File Protection area, click 
Settings 
 
39. Switch to the Task management tab 
40. Select the check box Run by schedule 
41. Click OK twice 
42. Open the KSWS group and switch to the Devices tab 
43. On the shortcut menu of the RDS computer, click Custom tools | KSWS 
 
 
 L–99 
Lab 13 
 
44. Go to the Logs and notifications | Security log container 
45. Select and open the upper event 
 
 
46. Read the description 
47. Click OK 
 
Conclusion 
In this lab, you have learned how to enable the Exploit Prevention component and how to add a new process to the list of 
protected processes. Then you tried to exploit a vulnerability in Microsoft Office; however, Kaspersky Security 10.1 for 
Windows Server detected the malicious activity, stopped the process, and notified the user in the terminal session. 
Lab 13. 
How to enable Applications Launch Control in 
the test mode 
Scenario. ABC Inc. plans to enable Applications Launch Control on the servers to reinforce protection. The plan is to draw up 
a white list of applications based on the reference servers, and then make sure that the list ensures correct operation of all 
servers. 
 
L–100 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
Contents. In this lab, we will: 
1. Create a shared folder 
2. Configure a rule generation task 
3. Run the task and import rules to the policy 
4. Enable Applications Launch Control in the test mode 
Task A: Create a shared folder 
The task that generates rules for Applications Launch Control scans reference computers and outputs the results into an .xml 
file. The task saves the file in a local or network folder. Then the rules will need to be imported from the file to the policy. If 
more than one reference computer is used, it makes sense to save the files into a network folder to have all of them in a single 
location. 
The task is performed on Alex-Desktop. 
The DC, Security-Center, and Docker machines must be powered on. 
 
1. Open Windows Explorer and create a folder 
named Rules in the root of drive С:\ 
 
2. Open the properties of the Rules folder and 
switch to the Sharing tab 
3. Click Share 
 
 L–101 
Lab 13 
 
 
4. Click Share 
 
5. Click Done 
 
6. Click Close 
Task B: Configure a rule generation task 
Typically, it is enough for the Rule Generator task to scan only reference servers rather than all servers. Therefore, the task 
should be created for specific computers rather than for a group. Specify the scanning parameters, reference computers, and the 
output folder in the task properties. 
 
L–102 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
The task is performed on Alex-Desktop. 
7. Open Kaspersky Security Center Administration Console 
8. Go to the Tasks node 
9. Click Create a task 
 
 
10. Under Kaspersky Security 10.1 for Windows Server, select 
Rule Generator for Applications Launch Control 
11. Click Next 
 
 L–103 
Lab 13 
 
 
12. Type the Initial_ rule name prefix 
13. Delete all folders from the scan scope 
14. Add the %SystemDrive% environment variable 
15. Select all file types, except DLL 
16. Click Next 
 
17. Select the check box Add allowing rules to the list of 
Applications Launch Control rules 
18. Specify the path to the file 
\\Alex-Desktop\Rules\rules.xml 
19. Click Next twice 
 
20. Click the top button Select networked devices detected by 
Administration Server 
file://///Alex-Desktop/Rules/rules.xml
 
L–104 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
21. Select the Security-Center computer 
22. Click Next 
 
23. Specify a user who has write access to the folder \\Alex-
Desktop\Rules: 
Username ABC\Administrator, password Ka5per5Ky 
24. Click Next 
 
25. Click Next 
 
 
 L–105 
Lab 13 
 
 
26. Click Finish 
 
Task C: Run the task and import rules to the policy 
We will run the created task and import the resulting list of rules to the policy. 
The task is performed on Alex-Desktop. 
27. Start the task Rule Generator for Applications Launch Control 
28. Wait for the task to complete successfully 
 
 
L–106 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
29. Open the Managed devices node and switch to the Policies tab 
30. Open the properties of the Kaspersky Security 10.1 for Windows Server policy 
 
 
31. Switch to the Local activity control 
section 
32. In the Applications Launch Control 
area, click the Settings button 
 
 L–107 
Lab 13 
 
 
33. Click the Rules list button 
 
34. Delete the two default rules 
 
35. Click Add | Import rules from XML 
file | Merge with existing rules 
 
L–108 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
36. In the folder С:\Rules, select the *.xml 
file 
37. Click Open 
 
38. Click Save 
Task D: Enable Applications Launch Control in the test mode 
The list of rules generated based on the reference computers may fail to cover all the available configurations of servers 
protected with Kaspersky Security 10.1 for Windows Server. If you enable Applications Launch Control in the fully 
operational mode straight off, it may turn out that not all of the required files are allowed on some devices, and they may work 
incorrectly as a result. Therefore, Applications Launch Control is to be enabled in the Statistics Only mode to begin with. 
 
 L–109 
Lab 13 
 
The task is performed on Alex-Desktop. 
 
39. Make sure that the component is switched 
to the Statistics only mode 
40. Switch to the Task management tab 
 
41. Select the check box Run by schedule 
42. Make sure that Frequency is set to At 
application launch 
43. Click OK 
 
44. Close the lock in the Applications Launch 
Control area 
45. Click OK 
 
L–110 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
46. Wait for the policy to be enforced 
 
Conclusion 
We’ve completed the initial setup of Applications Launch Control. In the Statistics Only mode, Kaspersky Security 10.1 for 
Windows Server will not block any programs. If a program that is not allowed by the rules is started, Kaspersky Security 10.1 
for Windows Server will just generate an event and send it to the Administration Server. The administrator can learn from 
these events whether the Applications Launch Control rules allow all the necessary applications. 
Lab 14. 
How to enable Applications Launch Control in 
the Default Deny mode 
Scenario. Applications Launch Control has been enabled in the Statistics Only mode. The administrator is to consult the list of 
blocked run events and adjust the rules to make all the necessary programs allowed. When the testing is completed, switch 
Applications LaunchControl to the fully operational mode. 
Contents. In this lab, we will: 
1. Test the Statistics Only mode 
2. Create a selection for the test events 
3. Add rules based on the test events 
4. Switch Applications Launch Control to the Default Deny mode 
5. Verify that unallowed programs cannot be started 
Task A: Test the Statistics Only mode 
To test Applications Launch Control in the Statistics Only mode, start a program that was not installed on the reference 
computer on one of the servers protected with Kaspersky Security 10.1 for Windows Server. 
 
 L–111 
Lab 14 
 
The task is performed on Docker. 
The DC, Security-Center, and Alex-Desktop machines must be powered on. 
 
1. Log on to the system under the abc\Alex account with the 
password Ka5per5Ky 
2. Run the PuTTY utility (the putty.exe file is located on 
the desktop) 
3. Make sure that the utility has started successfully 
4. Click Cancel 
Task B: Create a selection for the test events 
In the Statistics Only mode, information on blocked launches is sent to the Administration Server as events. Let’s create a 
selection of events about the programs that were blocked in the Statistics Only mode. 
The task is performed on Alex-Desktop. 
5. Return to Kaspersky Security Center Administration Console 
6. Open the Administration Server node and switch to the Events tab 
7. Click Create a selection 
 
 
L–112 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
8. Enter the selection name: 
KSWS – Application Launch Control 
9. Switch to the Events section 
 
10. In the Application name list, select 
Kaspersky Security 10.1 for Windows 
Server 
11. Select the Warning severity 
12. Click the Clear all button 
13. Select the Statistics Only mode: application 
launch denied event 
14. Click OK 
15. Click Run selection 
16. Make sure that the selection shows the PuTTY start event 
 
 
 
 
 L–113 
Lab 14 
 
Task C: Add rules based on the test events 
If the Administration Server keeps receiving “Statistics Only mode: application launch denied” events, it is possible that not all 
of the necessary programs have been allowed. The administrator can consult the selection of these events and generate new 
launch rules based on them. 
The task is performed on Alex-Desktop. 
17. On the selection’s shortcut menu, click Export 
 
 
18. Click Browse 
19. Specify the path to the file 
C:\Rules\Events.txt 
20. Click Next twice 
 
L–114 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
21. Open the Managed devices node and switch 
to the Policies tab 
22. Open the properties of the Kaspersky 
Security 10.1 for Windows Server policy 
23. Switch to the Local activity control section 
24. In the Applications Launch Control area, 
click the Settings button 
 
25. Click the Rules list button 
 
26. Click Add | Import data of blocked 
applications from Kaspersky Security 
Center report | Merge with existing rules 
 
 L–115 
Lab 14 
 
 
27. In the С:\Rules\ folder, select the Events.txt 
file 
28. Click Open 
 
29. Scroll the list of rules down to the bottom 
30. Make sure that the new rule has been added 
31. Click Save 
Task D: Switch Applications Launch Control to the Default Deny mode 
As soon as the rules’ testing has been completed, Applications Launch Control can be switched to the full-fledged operational 
mode: Default Deny. 
The task is performed on Alex-Desktop. 
 
32. Switch the component to the Active mode 
33. Click OK twice 
 
L–116 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
34. Wait for the policy to be enforced 
 
Task E: Verify that unallowed programs cannot be started 
Make sure that Applications Launch Control blocks programs for which allow rules are not configured. 
The task is performed on Docker. 
 
35. Log on to the system under the abc\Alex account with 
the password Ka5per5Ky 
36. Run the PuTTY utility (the putty.exe file is located on 
the desktop) 
37. Make sure that the utility has started successfully 
38. Click Cancel 
 
39. Run the AdbeRdr950_en_US.exe file (it is located on 
the desktop) 
40. Make sure that the file is prohibited from starting 
41. Click OK 
 
Conclusion 
In the Default Deny mode, Applications Launch Control blocks any program that is not allowed according to the rules. As a 
result, malware will not be able to run. Applications Launch Control can be used not only as an additional file protection tool, 
but also as a stand-alone server protection solution. 
 
 L–117 
Lab 15 
 
Lab 15. 
How to create allow rules for installation 
packages and updates 
Scenario. Application Startup Control reacts to the start of each executable file. However, if an application is supplied within a 
self-extracting archive, it is insufficient to create an allow rule for this archive only. Such a rule will allow you only to unpack 
the archive, but will not permit starting the installation. The administrator is to configure Application Startup Control to allow 
the installation as well as unpacking. 
Contents. In this lab, we will: 
1. Create a rule that allows a self-extracting Adobe Acrobat archive to start 
2. Create a rule that allows the Adobe Acrobat installation wizard to start 
3. Make sure that the rules work 
Task A: Create a rule that allows a self-extracting Adobe Acrobat archive to 
start 
In this task, we will create an allow rule to ensure that Kaspersky Security 10.1 for Windows Server permits running a self-
extracting installer of Adobe Acrobat. 
The task is performed on Alex-Desktop. 
The DC, Security-Center, and Docker machines must be powered on. 
1. Return to Kaspersky Security Center Administration Console 
2. Open the Managed devices node and switch to the Policies tab 
3. Open the properties of the Kaspersky Security 10.1 for Windows Server policy 
 
 
 
L–118 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
4. Switch to the Local activity control section 
5. In the Applications Launch Control area, click 
the Settings button 
 
6. Click the Rules list button 
 
7. Click Add | Add one rule 
 
 L–119 
Lab 15 
 
 
8. Click Set rule triggering criterion from file 
properties 
 
9. Specify the path to the file 
C:\Users\Alex.ABC\Downloads\ 
AdbeRdr950_en_US.exe 
10. In the Rule triggering criterion area, make sure 
that the Digital certificate option is selected 
11. Click OK 
 
12. Scroll the list of rules down to the bottom 
13. Make sure that the new rule has been added 
14. Click Save 
15. Click OK 
 
L–120 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
16. Wait for the policy to be enforced 
 
Switch to the Docker computer. 
 
17. Run the AdbeRdr950_en_US.exe file (it is 
located on the desktop) 
18. Make sure that the file starts, but nothing 
happens after unpacking, the installation will not 
begin 
 
 
 L–121 
Lab 15 
 
Switch to the Alex-Desktop machine. 
19. Return to Kaspersky Security Center Administration Console 
20. Open the KSWS group and switch to the Devices tab 
21. On the shortcut menu of the Docker computer, click Custom tools | KSWS 
 
22. In the Control area, next to Applications launches denied, click the figure “3” (the actual number may differ) 
 
 
L–122 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
23. Switch to the Events tab 
24. Open the latest event 
 
25. Read the event description 
26. Close all windows 
Task B: Create a rule that allows the Adobe Acrobat installation wizard to 
start 
In this task, we will add the Adobe Acrobat distribution to the trust list to ensure that Kaspersky Security 10.1 for Windows 
Server permits the installation after the archive is unpacked. 
The task is performed on Alex-Desktop. 
 
27. Open the Managed devices node and 
switch to the Policies tab 
28. Open theproperties of the Kaspersky 
Security 10.1 for Windows Server 
policy 
29. Switch to the Local activity control 
section 
30. In the Applications Launch Control 
area, click the Settings button 
 
 L–123 
Lab 15 
 
 
31. Switch to the Software Distribution 
Control tab 
32. Select the check box Automatically 
allow software distribution for 
applications and packages listed 
33. Click the button Change packages list 
34. Select Add one distribution package 
 
35. Click Browse 
36. Specify the path to the file 
C:\Users\Alex.ABC\Downloads\ 
AdbeRdr950_en_US.exe 
37. Switch Trusting criteria to Use digital 
certificate 
38. Click OK three times 
39. Wait for the policy to be enforced 
 
 
 
 
L–124 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
Task C: Make sure that the rule works 
In this task, you will make sure that Kaspersky Security 10.1 for Windows Server does not block installation after the archive 
is unpacked. 
The task is performed on Docker. 
 
40. Run the AdbeRdr950_en_US.exe file (it is located 
on the desktop) 
41. Make sure that the installation wizard of Adobe 
Reader 9.5.0 starts after the unpacking 
 
42. Click Next 
43. Click Install 
44. Wait for the installation of Adobe Reader 9.5.0 to 
complete successfully 
Switch to the Alex-Desktop machine. 
45. Return to Kaspersky Security Center Administration Console 
46. Open the Managed devices node and switch to the Policies tab 
47. Open the properties of the Kaspersky Security 10.1 for Windows Server policy 
 
 
 L–125 
Lab 15 
 
 
48. Switch to the Local activity control section 
49. In the Applications Launch Control area, click 
the Settings button 
 
50. Switch to the Task management tab 
51. Clear the check box Run by schedule 
52. Click OK twice 
53. Wait for the policy to be enforced 
 
 
Conclusion 
In this lab, you have learned how to configure Application Startup Control to ensure that Kaspersky Security 10.1 
for Windows Server does not block installation of applications that are supplied within self-extracting archives after 
the distribution is unpacked. 
 
L–126 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
Lab 16. 
How to configure System Inspection 
components 
Scenario. New components have appeared in Kaspersky Security 10.1 for Windows Server: Log Inspection and File Integrity 
Monitor. Log Inspection analyzes Windows system logs and uses various heuristics to detect abnormal behavior in the system. 
File Integrity Monitor checks various file operations and saves the information in the logs of Kaspersky Security 10.1 for 
Windows Server. The administrator is to enable and configure the Log Inspection and File Integrity Monitor components, and 
then test how Kaspersky Security 10.1 for Windows Server reacts to various anomalies and monitors file operations. 
Contents. In this lab, we will: 
1. Configure the Log Inspection component 
2. Check how the Log Inspection component works 
3. Configure the File Integrity Monitor component 
4. Check how the File Integrity Monitor component works 
Task A: Configure the Log Inspection component 
In this task, you will enable the Log Inspection component and modify some of its settings. 
The task is performed first on Alex-Desktop, and then on Security-Center. 
The DC computer must be turned on. 
1. Return to Kaspersky Security Center Administration Console 
2. Open the Managed devices node and switch to the Policies tab 
3. Open the properties of the Kaspersky Security 10.1 for Windows Server policy 
 
 
 L–127 
Lab 16 
 
 
4. Open System Inspection 
5. In the Log Inspection area, click Settings 
 
6. Select the check box A service was installed in 
the system 
 
7. Switch to the tab Predefined rules 
8. Click Advanced settings 
 
L–128 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
9. Set the Number of logon failures to 3 
10. Click OK 
 
11. Switch to the Task management tab 
12. Select the check box Run by schedule 
13. Click OK twice 
14. Wait for the policy to be enforced 
 
 
 L–129 
Lab 16 
 
Task B: Check how the Log Inspection component works 
In this task, we will create new services in the system, try to log on to the system with an incorrect password four times, and 
check how Kaspersky Security 10.1 for Windows Server will react to our actions. 
The task is performed first on Security-Center, and then on Alex-Desktop. 
 
15. Open the C:\Temp\ folder 
16. Run the file ConsoleApplication3.exe 
 
17. Make sure that an error message has appeared 
18. Click OK 
 
19. Run the command line interface as administrator 
20. Carry out the following commands: 
cd c:\Temp\ 
PsExec.exe -i -s cmd.exe 
 
 
21. Click Agree 
22. In the window that opens, type the following command: 
sc create Goro10_1 binPath= “c:\Temp\Goro10.exe” DisplayName= “Goro10_1” start= demand 
23. Make sure that the command has completed successfully 
[SC] CreateService SUCCESS 
 
 
L–130 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
24. Enter the following command to run the service: 
sc start Goro10_1 
25. Make sure that the service has started correctly: 
sc query Goro10_1 
 
26. Start the services.msc snap-in 
 
27. Sign out of the system 
28. Try to log on to the system under the abc\Administrator account, but type an incorrect password 4 times. 
 
 L–131 
Lab 16 
 
Switch to the Alex-Desktop machine. 
29. Return to Kaspersky Security Center Administration Console 
30. Open the KSWS group and switch to the Devices tab 
31. On the shortcut menu of the Security-Center computer, click Custom tools | KSWS 
 
32. In the Diagnostics area, next to Possible violations, click the figure “5” (the actual number may differ) 
 
 
L–132 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
33. Switch to the Events tab 
 
34. Open the lowermost event, which is related to 
the Application popup detection rule 
35. Read the event description 
 
36. Open the event New driver installed in the 
system, which was logged when PsExec.exe 
was run 
37. Read the event description 
 
38. Open the events related to the rule A service 
was installed in the system; they appeared 
when PSEXESVC and Goro10_1 services were 
created 
39. Read the events’ descriptions 
 
 L–133 
Lab 16 
 
 
40. Open the event related to the rule There are 
patterns of a possible brute-force attack in 
the system, which was logged after the 4 
unsuccessful attempts to log on to the system 
41. Read the event description 
Task C: Configure the File Integrity Monitor component 
In this task, you will enable the File Integrity Monitor component and add a monitoring area. 
The task is performed on Alex-Desktop. 
42. Return to Kaspersky Security Center Administration Console 
43. Open the Managed devices node and switch to the Policies tab 
44. Open the properties of the Kaspersky Security 10.1 for Windows Server policy 
 
 
L–134 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
45. Open System Inspection 
46. In the File Integrity Monitor area, click the 
Settings button 
 
47. Click Add 
 
48. Add the folder C:\Temp\* 
 
 L–135 
Lab 16 
 
 
49. Switch to the File operation markers tab 
50. Make sure that the following option is selected: 
Detect file operations basing on all 
recognizable markers 
51. Click OK 
 
52. Switch to the Task management tab 
53. Select the check box Run by schedule 
54. Click OK 
 
55. Close the lock on the File Integrity Monitor 
area 
56. Click OK 
 
L–136 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
57. Wait for the policy to be enforced 
 
Task D: Check how the File Integrity Monitor component works 
In the previous task, we have added a folder where Kaspersky Security 10.1 for WindowsServer will monitor all file 
operations. In this task, we will modify the attributes of a file, archive another file, and check how Kaspersky Security 10.1 for 
Windows Server will react to our actions. 
The task is performed first on Security-Center, and then on Alex-Desktop. 
 
58. Open the C:\Temp\ folder 
59. Open the properties of the Goro10.exe file 
 
60. Select the check box Hidden 
61. Click OK 
 
 L–137 
Lab 16 
 
 
62. On the shortcut menu of the file torbrowser-
install-7.5.3_en-US.exe, click Send to | 
Compressed (zipped) folder 
 
63. Make sure that the file has been archived 
Switch to the Alex-Desktop machine. 
64. Return to Kaspersky Security 10.1 Console 
65. Switch to the main page 
66. In the Diagnostics area, next to Possible violations, click the figure “11” (the actual number may differ) 
 
 
L–138 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
67. Switch to the Events tab 
68. Note that the information about the actions 
performed on the files is displayed in the 
events of the File Integrity Monitor task 
69. Read the events’ descriptions 
Conclusion 
This lab demonstrates how to enable and configure the Log Inspection and File Integrity Monitor components to make 
Kaspersky Security 10.1 for Windows Server detect abnormal behavior in the system and control any file operations in the 
critical areas of the server. All information about suspicious activities is saved into the log of Kaspersky Security 10.1 for 
Windows Server. 
Lab 17. 
How to configure integration with a SIEM system 
Scenario. The Splunk Enterprise SIEM solution is deployed in the network, which gathers, stores, indexes and permits 
analyzing logs by various security systems. Kaspersky Security 10.1 for Windows Server can send events into SIEM systems. 
The administrator needs to configure Kaspersky Security 10.1 for Windows Server to transfer all logged events to Splunk 
Enterprise. 
Contents. In this lab, we will: 
1. Configure Splunk Enterprise 
2. Configure sending Kaspersky Security 10.1 for Windows Server events to SIEM 
3. Make sure that events are delivered to SIEM 
Task A: Configure Splunk Enterprise 
In this task, you will configure Splunk Enterprise to enable it receive events over syslog. 
The task is performed on Alex-Desktop. 
The DC, Security-Center, and SIEM machines must be powered on. 
1. Run the Mozilla Firefox browser 
2. Open http://10.28.0.70:8000 
 
 L–139 
Lab 17 
 
3. Specify the account configured for connecting to the web console: admin and admin password 
4. Click Sign in 
 
5. Click Settings | DATA | Data inputs 
 
6. Find the TCP type and click the respective Add new link 
 
 
L–140 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
7. Specify the TCP type and port 514 
8. Click Next 
 
9. Click Select Source Type 
10. Type syslog 
11. Select syslog 
12. Click Review 
 
 
 L–141 
Lab 17 
 
13. Click Submit 
 
14. Minimize the Mozilla Firefox window 
Task B: Configure sending Kaspersky Security 10.1 for Windows Server 
events to SIEM 
In this task, you will configure notifications in Kaspersky Security 10.1 for Windows Server. 
The task is performed on Alex-Desktop. 
15. Return to Kaspersky Security Center Administration Console 
16. Open the Managed devices node and switch to the Policies tab 
17. Open the properties of the Kaspersky Security 10.1 for Windows Server policy 
 
 
L–142 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
18. Switch to the Logs and notifications section 
19. In the Task logs area, click Settings 
 
20. Switch to the SIEM integration tab 
21. Select the check box Send events to a remote 
syslog server via syslog protocol 
22. In the Events format area, make sure that the 
option Convert events to STRUCTURED-
DATA is selected 
23. Specify the address of Splunk server: 10.28.0.70 
and port TCP 514 
24. Click OK 
 
25. Close the lock in the Task logs area 
26. Click OK 
 
 L–143 
Lab 17 
 
27. Wait for the policy to be enforced 
 
 
Task C: Make sure that events are delivered to SIEM 
In this task, we will verify that events are delivered to SIEM. 
The task is performed on Alex-Desktop. 
28. Open the Managed devices node and switch to the Tasks tab 
29. Run the Database update – KSWS 10.1 task and wait for it to complete 
 
 
L–144 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
30. Restore the Mozilla Firefox window 
31. Go to the SPLUNK main page (click SPLUNK> in the upper-left corner of the page) 
32. Click Search & Reporting 
 
33. Click the Data Summary button 
 
34. Click the Security-Center.abc.lab link in the Host column 
 
 
 L–145 
Lab 17 
 
35. Make sure that the SIEM system has started to receive events 
 
36. Return to Kaspersky Security Center Administration Console 
37. Open the Managed devices node and switch to the Policies tab 
38. Open the properties of the Kaspersky Security 10.1 for Windows Server policy 
 
 
L–146 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
39. Switch to the Logs and notifications section 
40. In the Task logs area, click Settings 
 
41. Switch to the SIEM integration tab 
42. Change the events’ format to Convert events to 
JSON 
43. Click OK 
44. Wait for the policy to be enforced 
 
 
 L–147 
Lab 17 
 
45. Open the Managed devices node and switch to the Tasks tab 
46. Run the Software Modules Update – KSWS 10.1 task and wait for it to complete 
 
47. Restore the Mozilla Firefox window 
48. To refresh data in the Splunk Enterprise console, click the magnifying glass button on the right 
49. Wait for new events to appear 
50. Note that the event format differs from that of the previous events 
 
Conclusion 
In this lab, you have learned how to configure Splunk Enterprise to receive events over the syslog protocol. We configured 
Kaspersky Security 10.1 for Windows Server to transfer events into the SIEM system and verified that events are delivered to 
the SIEM system. Kaspersky Security 10.1 for Windows Server can send events in two formats: standard syslog and json. 
 
L–148 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
Lab 18. 
How to set Traffic Security to the External Proxy 
mode 
Scenario. ABC Inc. protects its network with Kaspersky Lab solutions. In particular, Kaspersky Security 10.1 for Windows 
Server is installed on business-critical servers. The administrator manages the protection products through Kaspersky Security 
Center. Also, a Squid proxy is deployed in the network, through which workstations connect to the Internet. The administrator 
is to configure redirecting web traffic to the Traffic Security component of Kaspersky Security 10.1 for Windows Server to 
scan it for malicious objects. 
Contents. In this lab, we will: 
1. Configure the Squid proxy server 
2. Configure the Traffic Security component 
3. Test integration of Squid and Kaspersky Security 10.1 for Windows Server 
Task A: Configure the Squid proxy server 
The Squid proxy is installed in the network, which supports ICAP, over which files can be transferred for scanning to 
the antivirus server. To integrate Squid with Kaspersky Security 10 for Windows Server, you should change the proxy 
configuration file. 
The task is performed on Alex-Desktop. 
The DC, Security-Center, and Proxy machines must be powered on. 
 
1. Run the PuTTY utility (the putty.exe file 
is located on the desktop) 
2. Enter the connection address: 10.28.0.15 
3. Click Open 
 
4. Enter username root and password 
Ka5per5Ky 
 
5. Enter the following command to open the 
Squid configuration file: 
nano 
/etc/squid/squid.conf 
 
 L–149 
Lab 18 
 
6. Add the following lines at the end of the file: 
icap_enable on 
icap_send_client_ip on 
icap_service service_resp respmod_precache bypass=1icap://10.28.0.20:1345/webscan 
adaptation_access service_resp allow all 
 
7. Press CTRL+X to close the text editor 
8. Press Y to save the changes 
9. Press ENTER 
 
 
10. Enter the following command to restart 
the Squid service: 
systemctl restart squid 
Task B: Configure the Traffic Security component 
In this task, you will switch the component to the External Proxy mode. 
 
L–150 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
The task is performed on Alex-Desktop. 
11. Open the Managed devices node and switch to the Policies tab 
12. Open the properties of the Kaspersky Security 10.1 for Windows Server policy 
 
 
13. Switch to the Real-time server protection 
section 
14. In the Traffic Security area, click Settings 
 
15. Change the Task mode to External Proxy 
16. Click OK twice 
 
 L–151 
Lab 18 
 
17. Wait for the policy to be enforced 
 
Task C: Test integration of Squid and Kaspersky Security 10.1 for Windows 
Server 
In this task, we will first change browser settings on a client computer to redirect traffic to Squid proxy server. To make sure 
that Kaspersky Security 10.1 for Windows Server receives the web traffic to be scanned from Squid over ICAP, try to 
download the eicar.com test virus from the eicar.org website. 
The task is performed on Alex-Desktop. 
18. Run the Mozilla Firefox browser 
19. Open the Options | General 
 
 
L–152 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
20. Scroll to the bottom of the page 
21. In the Network Proxy area, click Settings 
 
 
22. Type 10.28.0.15 for the proxy server 
address, and specify port 3128 
23. Select the check box Use this proxy 
server for all protocols 
24. Click OK 
 
 L–153 
Lab 18 
 
25. In a web browser, go to http://www.eicar.org/85-0-Download.html 
26. Try to download the eicar.com file 
 
27. Make sure that Kaspersky Security 10.1 for Windows Server blocks this action 
 
 
L–154 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
28. Return to Kaspersky Security Center Administration Console 
29. Open the KSWS group and switch to the Devices tab 
30. On the shortcut menu of the Security-Center computer, click Custom tools | KSWS 
 
31. In the Server protection area, next to Objects detected, click the figure “1” (the actual number may differ) 
 
 
 L–155 
Lab 19 
 
 
32. Switch to the Events tab 
33. Consult the virus detection events 
34. Click Close 
Conclusion 
In this lab, you have learned how to configure Squid to send objects for scanning to Kaspersky Security 10.1 for Windows 
Server. You switched the Traffic Security component to the External Proxy mode to enable Kaspersky Security 10.1 for 
Windows Server receive objects from third-party solutions, and made sure that an attempt to download an infected object was 
blocked and information about the detected threats is displayed in Kaspersky Security 10.1 Console. 
Lab 19. 
How to protect a NetApp Clustered Data 
ONTAP 9.3 storage 
Scenario. ABC Inc. protects its network with Kaspersky Lab solutions. In particular, Kaspersky Security 10.1 for Windows 
Server is installed on business-critical servers. The administrator manages the protection products through Kaspersky Security 
Center. A NetApp Clustered Data ONTAP 9.3 network-attached storage is deployed in the network, which is to be protected 
with Kaspersky Security 10.1 for Windows Server. 
Contents. In this lab, we will: 
1. Configure interaction of the network storage and antivirus server 
2. Test the antivirus protection 
Task A: Configure interaction of the network storage and antivirus server 
To integrate Kaspersky Security 10.1 for Windows Server with NetApp Clustered Data ONTAP 9.3, you need to configure 
both the antivirus server and the network storage. 
The task is performed first on Security-Center, and then on Alex-Desktop. 
The DC and NetApp computers must be turned on. 
 
1. Press WIN + R and type lusrmgr.msc, then 
press ENTER 
 
L–156 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
2. Add the abc\ontapavc account to the local 
administrators group 
3. Click OK 
 
4. Press WIN + R and type secpol.msc, then 
press ENTER 
5. Open the Security Settings | Local Policies | Security Options container 
6. Configure the following parameters: 
— Network access: Do not allow anonymous enumeration of SAM accounts = Disabled 
— Network access: Let Everyone permissions apply to anonymous users = Enabled 
— Network access: Restrict anonymous access to Named Pipes and Shares = Disabled 
 
 
 
 L–157 
Lab 19 
 
Switch to the Alex-Desktop machine. 
 
7. Run the PuTTY utility (the putty.exe file is 
located on the desktop) 
8. Enter the connection address: 10.28.0.63 
9. Click Open 
 
10. Click Yes 
 
11. Enter username admin, password 
Ka5per5Ky 
12. Carry out the following command to set up an authentication tunnel for the abc.lab domain to be able to use domain 
accounts for authentication on the cluster: 
domain-tunnel create –vserver SVM-ABC 
 
13. Carry out the following command to create a cluster account associated with a domain account: 
security login create –user-or-group-name abc\ontapavc –application 
ontapi -authentication-method domain –role vsadmin-readonly –vserver 
SVM-ABC 
 
 
L–158 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
Switch to the Security-Center computer 
 
14. Run the ONTAP_AV_Connector-1.0.4.exe 
file (it is located on the desktop) 
15. Click Install 
 
16. Click Yes 
 
17. Click Next 
 
18. Specify the account configured for 
connecting to the network storage: 
abc\ontapavc, password—Ka5per5Ky 
19. Click Next 
 
 L–159 
Lab 19 
 
 
20. Click Install 
 
21. Wait for the installation to complete 
22. Select the Configure ONTAP 
Management LIFs check box 
23. Click Finish 
 
24. Specify the following values: 
— Management LIF = 10.28.0.80 
— Poll = 60 
— Account = abc\ontapavc 
— Password = Ka5per5Ky 
25. Click Test 
 
26. Make sure that the connection has been 
established successfully 
27. Click OK 
 
L–160 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
28. Click Update 
29. Click Save 
30. Click Quit 
Switch to the Alex-Desktop machine. 
31. Return to Kaspersky Security Center Administration Console 
32. Open the Managed devices node and switch to the Policies tab 
33. Open the properties of the Kaspersky Security 10.1 for Windows Server policy 
 
 
 L–161 
Lab 19 
 
 
34. Switch to the section Network Attached 
storage protection 
35. In the Real-Time File Protection (RPC) 
area, click Settings 
 
36. Specify the account configured for 
connecting to the network storage: 
abc\ontapavc, password—Ka5per5Ky 
 
37. Switch to the Protection scope tab 
38. Click Add 
 
39. Type the network storage address: 127.0.0.1 
40. Click OK 
 
L–162 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
41. Switch to the Task management tab 
42. Select the check box Run by schedule 
43. Make sure that Frequency is set to At 
application launch 
44. Click OK 
 
45. Close the lock on the Real-Time File 
Protection (RPC) area 
 
46. Switch to the Logs and notifications 
section 
47. In the Task logs area, click Settings 
 
 L–163 
Lab 19 
 
 
48. Change the following values in the Event 
logging area: 
— Component = RPC-Network Storage 
Protection 
— Importance level = Informational 
events 
49. Click OK twice 
50. Wait for the policy to be enforced 
 
51. Run the PuTTY utility unless already started. Use the same connection address, 10.28.0.63. Username admin, password 
Ka5per5Ky 
52. Enter the following command to create a scanner pool: 
vserver vscan scanner-pool create –vserver SVM-ABC –scanner-pool MyPool 
–hostnames 10.28.0.20 –privileged-users abc\ontapavc 
 
53.Enter the following command to apply the scanning policy to the scanner pool: 
vserver vscan scanner-pool apply-policy –vserver SVM-ABC –scanner-pool 
MyPool –scanner-policy primary 
 
 
L–164 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
54. Enter the following command to make sure that the policy has been applied: 
vserver vscan on-access-policy show 
 
55. Enter the following command to enable antivirus scanning: 
vserver vscan enable -vserver SVM-ABC 
 
56. Enter the following command to make sure that the previous command has succeeded: 
vserver vscan show 
 
Task B: Test the antivirus protection 
To make sure that Kaspersky Security 10 for Windows Server operates correctly, let’s try to copy the eicar.com and 
eicar.cure.com files to the network storage. 
The task is performed on Alex-Desktop. 
 
57. Open the folder \\svm-abc\Test 
58. Copy the files eicar.com and 
eicar_cure.com 
 
 L–165 
Lab 19 
 
59. Return to Kaspersky Security Center Administration Console 
60. Open the KSWS group and switch to the Devices tab 
61. On the shortcut menu of the Security-Center computer, click Custom tools | KSWS 
 
62. Switch to the Network Attached Storage Protection tab 
63. In the Real-time protection area, next to Detected, click the figure “1” (the actual number may differ) 
 
 
L–166 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
64. Switch to the Events tab 
65. Consult the virus detection events 
66. Click Close 
67. Expand the Storages node and select the Backup container 
68. Consult the contents of the Backup container 
 
 
Conclusion 
In the first task of this lab, we configured interaction between Kaspersky Security 10.1 for Windows Server and NetApp 
Clustered Data ONTAP 9.3. In the second task, we verified that real-time protection works and information about 
the detected threats is displayed in the Kaspersky Security 10.1 Console. 
Lab 20. 
How to configure Anti-Cryptor for NetApp 
Scenario. A new component: Anti-Cryptor for NetApp has appeared in Kaspersky Security 10.1 for Windows Server. It 
permits protecting NetApp NAS storages not only from viruses, but also from file-encrypting ransomware. The administrator 
is to configure the Anti-Cryptor for NetApp component of Kaspersky Security 10.1 for Windows Server and make sure that it 
works. 
 
 L–167 
Lab 20 
 
Contents. In this lab, we will: 
1. Prepare NetApp Clustered Data ONTAP 9.3 
2. Configure Anti-Cryptor for NetApp 
3. Make sure that protection against encryption works correctly 
Task A: Prepare NetApp Clustered Data ONTAP 9.3 
In this lab, we will configure the FPolicy component on the network storage side, which permits third-party applications to 
monitor file operations on the network storage. 
The task is performed on Alex-Desktop. 
The DC, Security-Center, and NetApp machines must be powered on. 
 
1. Run the PuTTY utility (the putty.exe file is 
located on the desktop) 
2. Enter the connection address: 10.28.0.63 
3. Click Open 
 
4. Click Yes 
 
5. Enter username admin, password Ka5per5Ky 
6. Enter the following command to create an FPolicy external engine: 
vserver fpolicy policy external-engine create -vserver SVM-ABC -engine-name KSWS 
-primary-servers 10.28.0.20 -port 1346 -extern-engine-type synchronous -ssl-
option no-auth 
 
 
L–168 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
7. Make sure that the previous command has succeeded: 
vserver fpolicy policy external-engine show 
 
8. Enter the following command to create an FPolicy event: 
vserver fpolicy policy event create -vserver SVM-ABC -event-name cifs_event -
protocol cifs -file-operations create, open, rename, write, close, setattr, 
delete -volume-operation false -filters close-with-modification, first-write, 
write-with-size-change, open-with-delete-intent 
 
9. Make sure that the previous command has succeeded: 
vserver fpolicy policy event show 
 
10. Enter the following command to create an FPolicy policy: 
vserver fpolicy policy create -vserver SVM-ABC -policy-name kswspolicy -events 
cifs_event -engine KSWS -is-mandatory true -allow-privileged-access yes -
privileged-user-name abc\ontapavc 
 
11. Enter the following command to configure the policy scope: 
vserver fpolicy policy scope create -vserver SVM-ABC -policy-name kswspolicy -
shares-to-include * -file-extensions-to-include "" 
 
 
 L–169 
Lab 20 
 
12. Enter the following command to enable the FPolicy policy: 
vserver fpolicy enable -vserver SVM-ABC -policy-name kswspolicy -sequence-number 1 
 
Task B: Configure Anti-Cryptor for NetApp 
In this task, you will configure and enable the Anti-Cryptor for NetApp component in the policy of Kaspersky Security 10.1 
for Windows Server. 
The task is performed on Alex-Desktop. 
13. Return to Kaspersky Security Center Administration Console 
14. Open the Managed devices node and switch to the Policies tab 
15. Open the properties of the Kaspersky Security 10.1 for Windows Server policy 
 
 
16. Switch to the section Network Attached 
storage protection 
17. In the Anti-Cryptor for NetApp area, click 
Settings 
 
L–170 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
18. Make sure that the Active mode is selected 
 
19. Switch to the Addressing tab 
20. Specify the following settings in the 
Connection area: 
— IP address of protected cluster = 
10.28.0.63 
— Vserver name = SVM-ABC 
— FPolicy name = kswspolicy 
— Port = 1346 
21. Click the button List of cluster nodes 
 
22. Enter cluster-abc-01 for the cluster node 
name 
23. Click Add 
24. Click OK 
 
25. Specify the domain account configured for 
connecting to the network storage: 
abc\ontapavc, password—Ka5per5Ky 
26. Specify the account that has administrator 
permissions on the network storage: admin, 
password—Ka5per5Ky 
 
 L–171 
Lab 20 
 
 
27. Switch to the Task management tab 
28. Select the check box Run by schedule 
29. Make sure that Frequency is set to At 
application launch 
30. Click OK 
 
31. Close the lock on the Anti-Cryptor for 
NetApp area 
32. Click OK 
33. Wait for the policy to be enforced 
 
 
L–172 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
Task C: Make sure that protection against encryption works correctly 
To make sure that Kaspersky Security 10.1 for Windows Server operates correctly, let’s try to remotely encrypt files in 
the network storage. 
The task is performed on Alex-Desktop. 
 
34. Open the folder \\svm-abc\Test 
35. Copy the Docs folder (you can find it on 
the desktop) 
 
36. Open the Docs folder 
37. Select all files (CTRL+A) 
38. Right-click them and select AES Encrypt 
on the shortcut menu 
 
39. Type the password: 123 
40. Click OK 
 
41. Make sure that the following error is 
displayed at an attempt to encrypt files: 
Access is denied 
42. Click OK 
 
 L–173 
Lab 20 
 
43. Return to Kaspersky Security Center Administration Console 
44. Open the KSWS group and switch to the Devices tab 
45. On the shortcut menu of the Security-Center computer, click Custom tools | KSWS 
 
46. Switch to the Network Attached Storage Protection tab 
47. In the Anti-Cryptor protection area, next to Malicious encryption attempts detected, click the figure “1” (the actual 
number may differ) 
 
 
L–174 KASPERSKY LAB™ 
KL 005.10.1: Kaspersky Security 10.1 for Windows Server 
 
 
48. Switch to the Events tab 
49. Consult the virus detection events 
50. Click Close 
 
Conclusion 
In this lab, you have learned how to configure the Anti-Cryptor for NetApp component to enable Kaspersky Security 10.1 for 
Windows Server monitor actions performed on files and protect a NetApp Clustered Data ONTAP 9.3 NAS storage against 
file-encrypting ransomware. 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
v.1.15 
	Lab 1.How to prepare the Administration Server
	Task A: Unpack the Kaspersky Security 10.1 for Windows Server distribution on the administrator’s workstation
	Task B: Add a license for Kaspersky Security 10.1 for Windows Server
	Task C: Create a group for Kaspersky Security 10.1 for Windows Server
	Task D: Create an installation package for Kaspersky Security 10.1 for Windows Server
	Lab 2. How to install Kaspersky Security 10.1 for Windows Server
	Task A: Install Kaspersky Security 10.1 for Windows Server through Kaspersky Security Center
	Task B: Control the installation results
	Lab 3. How to install Kaspersky Security 10.1 Console
	Task A: Install Kaspersky Security 10.1 Console locally
	Task B: In Kaspersky Security Center, create a utility that will start Kaspersky Security Console and automatically connect to the selected server
	Lab 4. How to configure updates and on-demand scanning
	Task A: Complete the Managed Application Quick Start Wizard
	Task B: Create a module update task
	Task C: Create a full scan task for servers
	Lab 5. How to configure Real-Time Protection
	Task A: Configure a notification about module updates
	Task B: Enable Kaspersky Security Network
	Task C: Make sure that the KSN task is running
	Lab 6. How to test protection of Docker containers
	Task A: Configure the Real-Time File Protection task
	Task B: Test protection of Docker containers without accessing a malicious file
	Task C: Test protection of Docker containers when a malicious file is accessed
	Lab 7. How to test protection of Windows Subsystem for Linux
	Task A: Make sure that Kaspersky Security 10.1 for Windows Server can detect malicious files that run within Windows Subsystem for Linux
	Lab 8. How protection of server shared folders works
	Task A: Make sure that Kaspersky Security 10.1 for Windows Server can block remote computers
	Lab 9. How to configure the Anti-Cryptor component
	Task A: Enable the Anti-Cryptor component
	Task B: Make sure that the Anti-Cryptor task can detect encryption activities
	Lab 10. How to set Traffic Security to Driver Interceptor mode
	Task A: Enable notifications for terminal users
	Task B: Enable the Traffic Security component
	Task C: Verify that unwanted websites are blocked
	Task D: Verify that Tor networks are blocked
	Lab 11. How to configure Traffic Security to scan mail traffic
	Task A: Install Kaspersky Security 10.1 Add-in for Microsoft Outlook
	Task B: Enable mail threat protection
	Task C: Verify that Kaspersky Security 10.1 for Windows Server intercepts mail traffic
	Lab 12. How to configure Exploit Prevention
	Task A: Enable protection against exploits
	Task B: Make sure that protection against exploits works correctly
	Lab 13. How to enable Applications Launch Control in the test mode
	Task A: Create a shared folder
	Task B: Configure a rule generation task
	Task C: Run the task and import rules to the policy
	Task D: Enable Applications Launch Control in the test mode
	Lab 14. How to enable Applications Launch Control in the Default Deny mode
	Task A: Test the Statistics Only mode
	Task B: Create a selection for the test events
	Task C: Add rules based on the test events
	Task D: Switch Applications Launch Control to the Default Deny mode
	Task E: Verify that unallowed programs cannot be started
	Lab 15. How to create allow rules for installation packages and updates
	Task A: Create a rule that allows a self-extracting Adobe Acrobat archive to start
	Task B: Create a rule that allows the Adobe Acrobat installation wizard to start
	Task C: Make sure that the rule works
	Lab 16. How to configure System Inspection components
	Task A: Configure the Log Inspection component
	Task B: Check how the Log Inspection component works
	Task C: Configure the File Integrity Monitor component
	Task D: Check how the File Integrity Monitor component works
	Lab 17. How to configure integration with a SIEM system
	Task A: Configure Splunk Enterprise
	Task B: Configure sending Kaspersky Security 10.1 for Windows Server events to SIEM
	Task C: Make sure that events are delivered to SIEM
	Lab 18. How to set Traffic Security to the External Proxy mode
	Task A: Configure the Squid proxy server
	Task B: Configure the Traffic Security component
	Task C: Test integration of Squid and Kaspersky Security 10.1 for Windows Server
	Lab 19. How to protect a NetApp Clustered Data ONTAP 9.3 storage
	Task A: Configure interaction of the network storage and antivirus server
	Task B: Test the antivirus protection
	Lab 20. How to configure Anti-Cryptor for NetApp
	Task A: Prepare NetApp Clustered Data ONTAP 9.3
	Task B: Configure Anti-Cryptor for NetApp
	Task C: Make sure that protection against encryption works correctly