CONTACTING THE TECHNICAL SUPPORT SERVICE
You can receive information about the application from the specialists of the Technical Support Service over the phone or via Internet. While contacting the Technical Support Service, please provide information about your license for the Kaspersky Lab's product that is used with Kaspersky Administration Kit. Experts at Technical Support Service will answer your questions pertaining to the installation and use of the application that are not covered in help topics. If your computer has been infected, they will assist you in neutralizing the consequences of malware activity. Please read the support rules before contacting the Technical Support service http://support.kaspersky.com/support/rules.
Email request to the Technical Support Service
You can ask your question to the Technical Support Service specialists by filling out a Helpdesk web form at http://support.kaspersky.com/helpdesk.html. You can send your inquiry in Russian, English, German, French or Spanish. To send an email request, you should specify your customer ID received during registration at the Technical Support Service web site, and your password in it. If you are not yet a registered user of Kaspersky Lab's applications you can fill out a registration form (https://support.kaspersky.com/en/personalcabinet/registration/form/). During registration enter the activation code for your application or the license key serial number. The Technical Support service will respond to your request in your Personal Cabinet https://support.kaspersky.com/en/PersonalCabinet), and to the email address you specified in your request. Please describe your problem with all possible details in the query web form. Specify in the mandatory fields: Request type. Most frequent user questions are arranged in separate topics, for example, "Problems with Setup / Remove application" or "Virus disinfection". If you find no suitable section, select "General question".
Application name and version number. Request description. Please describe your problem with all details. Customer ID and password. Enter the customer ID and password received during registration at the Technical Support Service web site. Email address. The experts of the Technical Support Service will send their reply to your inquiry to that address.
Technical support over the phone
If an urgent problem has occurred, you can always call the Technical Support Service in your city. Before you contact the specialists of the Russian (http://support.kaspersky.ru/support/support_local) or international (http://support.kaspersky.com/support/international) Technical Support, please collect information (http://support.kaspersky.com/support/details) about your computer. It will help our experts assist you with maximum efficiency.

ADMINISTRATOR'S WORKSTATION
Computers with the installed Kaspersky Administration Console will be further referred to as administrator's workstations. Administrators can use these computers to manage remotely all Kaspersky Lab's applications installed on client computers in a centralized manner. After Kaspersky Administration Console is installed, its icon appears in the Start Administration Kit menu and can be used to start the console. Programs Kaspersky
Administrator's workstation is not an object of administration group, but it can also be included in a group as a client computer. There are no restrictions for the number of administrator's workstations. Administrator's workstations for different Administration Servers can be the same; each workstation can be used to manage the administration groups of any Administration Server within a corporate network. Within administration groups of any Server, the same computer can act as an Administration Server client, Administration Server or administrator's workstation.
APPLICATION CONFIGURATION PLUG-IN
The interface for management of a specific application via Kaspersky Administration Console is provided by a specialized component application configuration plug-in. It is included in all Kaspersky Lab's applications that can be controlled
using Kaspersky Administration Kit. Each application that can be managed via Kaspersky Administration Kit has its own plug-in. It is installed on the administrator's workstation and provides: the set of dialogs (interface) for creation and editing of application policies; the set of dialogs (interface) for creation and editing of application policies; the set of dialogs (interface) for creation and editing of settings for the application tasks; information about the tasks implemented in an application; information about application events; functionality necessary to display the information about application operation and statistics received from client computers in the Kaspersky Administration Console.
POLICIES, APPLICATION SETTINGS AND TASKS
A named operation performed by a Kaspersky Lab's application is called a task. Tasks are subdivided into types in accordance with the performed functions. Each task is associated with certain application settings used during its performance. The set of application parameters common for all types of its tasks makes up the application settings. Application settings specific for each individual task type make up the corresponding task settings. Application settings and task settings do not overlap. Detailed descriptions of task types for each Kaspersky Lab's application can be found in their respective Guides. To initiate performance of some necessary function, you have to configure the application settings, create and set up the corresponding task and launch it. Application settings defined for an individual client computer through local interface or remotely via Administration Console will be referred to as local application settings. Centralized configuration of application settings on client computers is accomplished through definition of policies. Policy is a collection of settings regulating operation of an application in a group. The policy does not define all of the application settings. The application settings are defined by the policy settings and the task settings. Each parameter represented in a policy has a "lock" attribute, which shows if the setting is allowed for modification in the policies of child hierarchy levels (for nested groups and slave Administration Server), in task settings and local application settings. If a parameter is "locked" in the policy, its value cannot be redefined (see section "Relation between policies and local application settings" on page 18). The unchecked Inherit settings from parent policy box disables the "lock" for inherited policies. A specific policy is defined for each application in a group. Several policies with different settings can be defined for a single application. However, an application can use only one active policy at a time. There is an opportunity to activate a disabled policy upon a certain event. Thus you can, for example, enforce stricter anti-virus protection settings during virus outbreaks. You can also create a policy for mobile users. It will enter into force when a computer is disconnected from corporate network. Application settings can differ in various groups. Each group can have its own policy for an application. Child groups and slave Administration Servers inherit the policies from groups belonging to higher hierarchy level.

Tasks for objects managed by a single Administration Server are created and configured in a centralized manner. Tasks of the following types can be defined: group task is a task that defines settings for an application installed on computers within an administration group; local task is a task for an individual computer; task for selection of computers is a task for an arbitrary set of computers included or not included in administration groups; Administration Server task is a task defined directly for an Administration Server. A group task can be defined for a group even if a corresponding Kaspersky Lab's application is installed only on certain client computers of that group. In that case the group task will only be performed on computers where the application is installed. Child groups and slave Administration Servers inherit the tasks from groups belonging to higher hierarchy levels. A task defined for a group will be performed not only on client computers included in that group but also on client computers included into its child groups and belonging to slave Servers on all lower hierarchy levels. Tasks created for a client computer locally will only be performed for that computer. During client synchronization with Administration Server local tasks will be added to the list of tasks created for that client computer. Since application settings are defined in policy, task settings can redefine those of them, which are not locked in the policy and also the parameters that can be configured only for a specific task instance. E.g., for a drive scan task they will include the drive name, masks of files to scan, etc. A task may be launched automatically (according to schedule) or manually. Task results are saved locally and on Administration Server. The administrator can receive notifications informing about performance of a certain task and view detailed reports. Information about policies, application settings, tasks for specific computers and group tasks is saved on the Administration Server and distributed to client computers during synchronization. During that procedure information on the Administration Server is updated in its turn with the local changes made on client computers and allowed in applicable policy. Additionally, the list of applications running on the client computer, their status and the existing tasks are updated.
RELATION BETWEEN POLICIES AND LOCAL APPLICATION

SETTINGS

Policies can be used to enforce the same application settings for all computers within a group. Values of the settings defined in a policy can be redefined for individual computers in a group using local application settings. You can only edit the settings allowed for modification in the policy, i.e. "unlocked" settings. The setting value actually used in an application on client computer (see the figure below) is determined by the "lock" position for that setting in policy: if the setting modification is "locked", the same value defined in policy is used on all client computers;

COMPATIBILITY WITH CISCO NETWORK ADMISSION CONTROL (NAC).
Kaspersky Administration Kit allows the administrator to associate the conditions of computer anti-virus protection and the security statuses assigned by Cisco Network Admission Control (NAC).

OPERATION CONCEPT

To do that, you need to create the conditions that will be used to assign to client computers the security statuses of Cisco Network Admission Control (NAC): Healthy, Checkup, Quarantine or Infected. If a client computer does not meet any of the above conditions, it will be assigned the status Unknown. The status Healthy is assigned only if all the selected conditions are met; and the statuses Checkup, Quarantine or Infected apply if at least one of the selected conditions is met.
COMPATIBILITY WITH MICROSOFT NETWORK ACCESS PROTECTION (NAP)
Kaspersky Administration Kit supports integration with the Microsoft Network Access Protection (NAP). Microsoft (NAP) allows regulation of client computer access to the network. Microsoft (NAP) assumes that the network includes a dedicated server with installed Microsoft Windows Server 2008 running the PVS (Posture Validation Server), and client computers have NAP-compatible operating systems installed: Microsoft Windows Vista or Microsoft Windows XP with Service Pack 3. Integration of Kaspersky Administration Kit requires the following steps: 1. 2. Deploy Kaspersky Administration Kit in the network in a regular manner. Install in PVS Kaspersky Lab System Health Validator (SHV). To do that, enable the Kaspersky Lab System Health Validator (SHV) checkbox while selecting the components to install during setup of Kaspersky Administration Kit. At that, the product will install the Network Agent to client computers which functions as the Kaspersky Lab System Health Agent (SHE) that will provide information about the settings of anti-virus protection and their changes on the client computers to the Microsoft NAP agent. As a result, Kaspersky Lab System Health Validator (SHV) will appear in the list of available SHV in the PVS console, where the rules for evaluation of the client computer data collected by the Health Agent can be configured.
CREATION OF THE CENTRALIZED MANAGEMENT SYSTEM FOR ANTI-VIRUS PROTECTION
The first step in creation of a centralized management system for anti-virus protection using Kaspersky Administration Kit is the design of the administration groups structure. During that stage the following decisions must be made: 1. 2. Identify isolated network segments and determine how many Administration Servers must be installed. Define which network computers will perform the functions of the primary Administration Server and slave Servers, and which will function as administrator's workstations and client computers. Client computers must include all the computers where Kaspersky Lab's applications will be installed. Determine the sign that will be used for combining client computers into groups and the hierarchy of groups. Choose the deployment method for the anti-virus protection system: remote or local installation.

During the next step the administrator must create the structure of Administration Server folders by installing the appropriate software components of Kaspersky Administration Kit on corporate network computers, i.e.: 1. 2. 3. Install the Administration Server on computers within corporate network. Install Kaspersky Administration Console on the computers that will be used for management purposes. Decide who the administrators of Kaspersky Administration Kit will be, determine other categories of users allowed to work with the system and assign a list of performed functions to each category.
The system allows simultaneous work of different administrators with the same resources. System settings will use the latest applied values. In that case all operations that administrators perform must be coordinated. 4. Create user groups and provide to each group the access rights needed by its users for performance of their responsibilities.
Then you should create the hierarchy of Administration Servers, build for each server the hierarchy of administration groups and distribute computers into appropriate groups. During the next step you should deploy to client computers the Network Agent, the necessary Kaspersky Lab's applications, and install the corresponding application management plug-ins on the administrator's workstation. Remote installation on client computers is only possible for some (not all) of the Kaspersky Lab's applications that can be managed via Kaspersky Administration Kit. For details please refer to the Guides for the corresponding applications. When remote deployment is used, the Network Agent can be installed together with any application. When remote deployment is used, the Network Agent can be installed together with any application. During the last stage you have to configure the installed applications by defining and applying group policies (see section "Managing policies" on page 48) and creating the necessary tasks (see section "Local application settings" on page 52). The application allows creation of a centralized management system for anti-virus protection with the minimum required settings using the Quick Start Wizard (see section "Quick Start Wizard" on page 39). During the procedure the wizard creates the structure of administration groups identical to the domain structure of the Windows network, and builds the system of anti-virus protection using Kaspersky Anti-Virus for Windows Workstations 6.0 MP4. After creation of the Administration Server folders structure, installation and configuration of anti-virus protection, the administrators are advised to regularly perform network maintenance procedures (see section "Maintenance" on page 66).

Edit event log settings. Edit notification settings. Remote install of Kaspersky Lab applications. Remote install of external applications: preparation of installation packages and remote install of third-party applications to the client computers. Edit Administration Server hierarchy settings. After Administration Server installation, default rights to connect to the Server and work with its objects are granted to the users included in the KLAdmins and KLOperators groups. These groups are created during installation of the Administration Server component depending upon the account selected for starting the Administration Server service: in the domain including the Administration Server and on the Administration Server host computer, if the Server starts using the account belonging to the domain; only on the Administration Server host computer, if the Server starts using the local system account. The KLAdmins group has all access rights, and the KLOperators group only has rights to read and execute. The set of rights granted to the KLAdmins group cannot be modified. Users included in the KLAdmins group will be referred to as Kaspersky Administration Kit administrators, users of the KLOperators group are called Kaspersky Administration Kit operators. Viewing of the KLAdmins and KLOperators groups and introduction of the necessary modifications are available in the standard Windows administration tools Computer management / Local Users and Groups. Apart from the users of the KLAdmins group, administrator's rights are granted to: administrators of the domain including the computers of the administration group assigned to this Server; local administrators of computers with the installed Administration Server. Local administrator can be excluded from the list of users allowed to manage the Administration Server. All operations initiated by the administrators of Kaspersky Administration Kit will be performed using the rights of the Administration Server account. For each Administration Server an individual KLAdmins group can be created; it will have the necessary rights for work with that Server only. If computers belonging to the same domain are included in administration groups of different Servers, then the domain administrator is a Kaspersky Administration Kit administrator for all the groups. The KLAdmins group is common for those administration groups; it is created during installation of the first Administration Server. It can be supplemented using the administration tools of the operating systems. Operations initiated by the administrators of Kaspersky Administration Kit will be performed using the rights of the Administration Server account. User rights (see section "Granting rights" on page 36) in Kaspersky Administration Kit are defined based on Windows authentication of users in the network. After application setup an administrator of Kaspersky Administration Kit can: modify the rights granted to the KLOperators groups; grant the rights to access the functionality of Kaspersky Administration Kit to other user groups and individual users registered on a computer with installed Administration Console; grant various access rights to work in each administration group.

USER INTERFACE CONCEPT

Viewing, creation, modification and configuration of administration groups as well as centralized management of all Kaspersky Lab's applications installed on client computer are performed from the administrator's workstation. The management interface is provided by the Kaspersky Administration Console component. It is a specialized independent snap-in for Microsoft Management Console (MMC); therefore Kaspersky Administration Kit uses a unified interface in MMC style. The Administration Console allows connection to the remote Administration Server via Internet. For local work with client computers the application supports remote connection to a computer via Kaspersky Administration Console using the standard Microsoft Windows Remote Desktop Connection application. To use this functionality, remote desktop connections must be allowed on the client computer.

CONFIGURING INTERFACE

Kaspersky Administration Kit allows the administrator to configure the Administration Console interface. To change the specified interface settings, perform the following steps: 1. Go to the View below). Configuring interface menu. This will open the corresponding window (see the figure
Figure 2. Viewing the group properties. The Configuring interface window
In the window that will open, you can specify the following parameters: Display slave Administration Servers. Display security settings tabs. Display application registry. The maximum number of computers displayed in console nodes. The option determines how many computers are displayed in the results pane of the Administration Console for the group and domain nodes. The default value is 2000. If the number of computers in the group exceeds the specified value, a corresponding notification will be displayed on the screen. To view the list of all computers, increase the parameter value.
The parameter defined for the maximum number of displayed hosts in the settings of a group (or domain) applies to all groups on all hierarchy levels and for all domains.
LAUNCHING THE APPLICATION
The Kaspersky Administration Kit can be launched by selecting Kaspersky Administration Kit from the Kaspersky Administration Kit program group in the standard Start Programs menu. This program group is created only on administrator's workstations during the Kaspersky Administration Console installation. To access the functionality of Kaspersky Administration Kit the Administration Server of Kaspersky Administration Kit must be running.

MAIN PROGRAM WINDOW

The main program window (see the figure below) contains a menu, a toolbar, browsing pane and an informational panel, which can display the task pane or results pane. The menu provides controls for the windows and access to the help system. The Action submenu duplicates the context menu commands for the current node or folder of the console tree. The toolbar buttons allow direct access to some items of the main menu. Items available on the toolbar depend on the current node of the console tree. Browsing pane displays the namespace of Kaspersky Administration Kit as a console tree (see section "Console tree" on page 28). Informational area of the main window can display the task pane, results pane, or their combination. For some nodes of the console tree the informational area can offer two viewing modes: extended and standard. Switching between them is performed using the corresponding tabs. The task pane consists of one or several tabs, which display pages containing links for fast access to basic operations available for the node selected in the console tree. For more details about using the task pane please refer to the Task pane section (on page 30).

TASK PANE

The task pane is an area within the window containing the set of links for operations with the Administration Server objects and the Administration Server itself. There are two conventional views of task panes: standard and extended.
Extended task pane (see the figure below) is available for most nodes and objects of the console tree. It is an HTML page containing links for various operations, navigation to other Administration Server objects and brief information about the current object or node. A single node can have several task panes, which appear as tabs with their names displayed in the upper part of the informational pane. For convenient browsing between Administration Server nodes and objects, the upper part of the task pane offers a navigation chain: Getting started <node name>. <folder name> <object name>. Groups of links can be combined into blocks for more convenient arrangement in the pane.
Figure 5. Extended view of the task pane. The Managed computers node
For some objects of the console tree the task pane can display summarized information about an object, for example, the results of policy enforcement (see the figure below). In that case the extended pane also functions as the results pane (see section "Results pane" on page 33).
Figure 6. Policy task pane
For some nodes that have no extended task pane, the standard task pane is provided. It is represented by a set of links in the left part of the results pane (see the figure below). Links of the standard task pane, similarly to the extended pane, are used to proceed to performing various operations, viewing or editing object properties. The results pane including the task pane is available on a tab under the name of a corresponding node or folder.
Figure 7. Standard task pane for the Client computers node
In the Kaspersky Administration Kit documentation the term "task pane" means extended task pane. When references to the standard task pane are used, its items are described as part of the results pane.

Access rights can be provided individually to each administration group or granted for other objects of an Administration Server, for example, Administration Server tasks. This configuration is performed in the object properties window, on the Security tab. Administrator can track user operations through Administration Server events registered in event logs. These events have the severity level Info; and event types begin with Audit. They appear in the Events node of the console tree in the Audit events folder.
VIEWING INFORMATION ABOUT THE COMPUTER NETWORK. DOMAINS, IP SUBNETS AND ACTIVE DIRECTORY GROUPS
Information about the computer network structure and the computers it contains is displayed in the Unassigned computers node of the console tree. The Unassigned computers folder contains three subfolders: Domains; Active Directory;
IP subnets. The Domains folder contains the hierarchy of subfolders reflecting the structure of domains and workgroups in the corporate Windows LAN. Each of the folders at the lowest level contains a list of computers of the respective domain or workgroup, which are not included in the structure of administration groups. Once a computer is included in a group, information about it will be immediately deleted from the folder. If the computer is excluded from the structure of the administration group, information about it will again be placed in the corresponding folder of the Unassigned computers / Domains node. The Active Directory folder displays computers reflecting the Active Directory structure. The IP subnets folder displays computers reflecting the structure of IP subnetworks created within the network. The structure of the IP subnets folder can be determined by the administrator by creating new IP subnets and editing the settings of existing ones. By default, IP subnets are used to display only the IP subnets that include an Administration Server. The task pane of the Unassigned computers node contains links for navigation to settings configuration and viewing the contents of nested folders. The content of each Domains, Active Directory or IP subnets folders is displayed in the results pane as a table. Full list of the results pane columns for each object of the Administration Console is available in the Reference Guide. If the structure uses several levels, i.e. there are subfolders, it is displayed in the console tree. Lowest elements of the hierarchy (client computers) are not displayed in the console tree. Creation and updating of the Unassigned computers group is performed by the Administration Server. It regularly polls the corporate network using defined settings to detect newly added and disconnected computers in it. Administration Server can use the following types of network scanning: Windows network polling. There are two polling methods: quick and full. During a quick scan, the server only collects information about the list of NetBIOS names for computers in all network domains and workgroups. During a full scan, additional information is requested about computers: operating system, IP address, DNS name, etc. For viewing and modification of the settings for Windows network polling, use the Configure link in the Network environment scanning section in the task pane of the Unassigned computers node. IP subnets polling. The Administration Server will poll the specified IP ranges using ICMP packets, and collect a complete set of data on hosts within the range. For viewing and modification of the settings for IP subnets polling, use the Configure link in the IP-subnets scanning section in the task pane of the Unassigned computers node. Polling of Active Directory groups. This causes information on the Active Directory unit structure and host DNS names to be entered into the Administration Server database. For viewing and modification of the settings for polling of Active Directory groups, use the Configure link in the Active Directory scanning section in the task pane of the Unassigned computers node. Administration Server uses the collected information and the data on computer network structure to update the contents of the folders in the Unassigned computers node. In that case, computers discovered in the network can be automatically added to certain administration groups. There is an opportunity to disable polling of computers displayed in the folders of the Unassigned computers node. The folders of the Unassigned computers node of the master Administration Server also display hosts belonging to the computer network which includes slave Administration Servers.

CLIENT COMPUTERS

Adding a client computer to the group allows you to apply to it the policies and tasks created in the group. To add client computers to a group, use the Add computers link in the task pane of the group, to which the computer should be added. A wizard will start. Once the wizard completes successfully, the computers will be included in the group and will be displayed in the results pane of the Client computers folder under the names determined for them by the Administration Server (see the figure below). If the Administration Server has not for some reason detected the client computer, it is necessary to install the Network Agent to it and connect it to the Administration Server. The Administration Server will move this computer to the Unassigned computers node, where from you can move it to the required group.
Figure 14. Client computers within the group
Icons reflecting the status of client computers are displayed next to their names in the results pane. The icons and corresponding statuses are listed in appendix to the Reference Guide. Addition of client computers to administration groups can be configured to make the Administration Server include on its own all new computers detected in a network to the specified administration group. To do that, the appropriate settings must be defined in the Administration Server properties (see the figure below).
A computer can also be added in the main application window of Kaspersky Administration Kit by dragging the computer from the Unassigned computers folder and dropping it in the appropriate administration group folder, using the mouse.
Figure 15. Configuring automatic transfer of new computers to a group
You can move client computers from one group to another by excluding them from the administration groups, using either the standard context menu commands Cut / Paste and Delete or the corresponding items from the Action menu. Computers deleted from administration groups will be moved to the Unassigned computers node. The moving operation can also be performed using the mouse. There is an opportunity to transfer client computers from administration groups of one Server to the groups of another one. E.g., while adding a slave Administration Server, you can move client computers from the administration groups of primary Server to the groups of that slave Server. To do that, the client computers must be connected to the new Administration Server. You can connect a client computer to another Administration Server locally from that client computer. The operation is performed using the klmover.exe utility included in the distribution package of the Network Agent. After Network Agent installation the utility can be found in the root of the component's program directory. Client computer connection to another Administration Server is accomplished by creating and running the Change Kaspersky Administration Server task. You can create a task for selected hosts to transfer individual computers, or use a group task to move all client computers from specified administration group. As a result of the Server replacement task, the client computers that have completed the task will disconnect from the old Administration Server and appear in the Unassigned computers node of the new Server. Administration Console can be used to transfer client computers manually to the administration groups of new Server from the groups of an old Server.

SLAVE ADMINISTRATION SERVERS
The servers hierarchy can be used to perform the following operations with all slave Administration Servers and their client computers: creation and distribution of application policies; creation and distribution of group tasks (including deployment tasks); distribution of the updates and installation packages received by the master Server; creation of reports summarizing information from all slave Administration Servers. The policies and tasks received by the slave Administration Server from the master Administration Server cannot be modified. To add a slave Server, use the Create / Administration Server command for the Administration Servers object in the necessary group. This will launch the slave Server addition wizard which performs the following steps: adding a slave Administration Server; connecting the Administration Console to the slave Server; configuring the settings for connection to the master Server; adding information about the slave Server to the master Administration Server's database. Connection and configuration can be skipped. In that case you will have to perform these steps manually: use the Administration Console to connect to the slave Server and define the settings for its connection to the master Server (see the figure below).
After successful addition of a slave Administration Server, the icon and name of the Server will appear in the Administration Servers folder within the corresponding group.
Figure 16. Configuring the slave Administration Server's connection to the master Administration Server
You can work with administration groups of a slave Administration Server both from the Administration Servers node of the master Server or directly, by adding the slave Server to the console tree as a new Administration Server. The slave Server is a valid administration Server and performs all the functions of the Administration Server within its own administration groups. At that, the slave Administration Server inherits all group tasks and policies of the group, to which it belongs, from the master Server. Inherited policies and tasks are indicated on the slave Server as follows: The icon will be displayed next to the names of policies inherited from the master Administration Server (the ).

regular policy icon is

The settings of the inherited policy will not be accessible for changes on the slave Server. The settings that are specified as not modifiable in the inherited policy are indicated by the "locked" icon all application policies on the slave Server, and use values specified in the inherited policy. in
The settings that are not "locked" in the inherited policy, can be modified (see section "Relation between policies and local application settings" on page 18) in the slave Server policies (the icon is ). If a parameter is not "locked" in the slave Server policy, it can also be redefined (see section "Relation between policies and local application settings" on page 18) in the application and task settings. The icon will be displayed next to the names of group tasks inherited from the master Administration Server ).
(the regular task icon is
Deployment tasks for specific computers cannot be transferred to slave Administration Servers. Transfer of group tasks is configured in task properties. Updating of the client computers connected to a slave Administration Server (see section "Updating of slave Servers and their client computers" on page 63) can be configured to launch the updates download task automatically after the master Server receives updates. Its successful completion will trigger the launch of application update tasks on client computers of the slave Server.
REMOTE MANAGEMENT OF APPLICATIONS
Kaspersky Administration Kit supports management only for Kaspersky Lab's applications that include a specialized component application management plug-in. The management of applications is performed in two ways: management of application settings through definition of policies (see section "Managing policies" on page 48) or editing of the local settings (see section "Local application settings" on page 52) of corresponding applications; creation and launch of tasks (see section "Managing the operation of applications" on page 52).
Managing policies..... 48 Local application settings.... 52 Managing the operation of applications..... 52

Administration Server tasks are stored in the Kaspersky Administration Kit tasks container. To create a new Administration Server task, open in the console tree the context menu of the Kaspersky Administration Kit tasks node and use the command Create / Task.

Figure 20. Group tasks

You can view the list of local tasks on a client computer in its properties window. To do that, perform the following actions: 1. 2. 3. In the console tree, open the Client computers folder of the group including the necessary computer. Select a computer in the list displayed in the results pane. Open the computer properties window on the Tasks tab that contains the list of local tasks for the selected computer. To do that, use the Tasks link to the left of the computers list in the results pane or the Tasks item of the context menu for the selected computer.
Exchange of information about the tasks between a local application and the database of Kaspersky Administration Kit occurs at the connection of the Network Agent with Server. During the procedure information about local tasks arrives in the Administration Server database. You can edit the settings of tasks, monitor their execution, copy, export and import tasks from one group to another and also delete them using the context menu commands and the task pane links. Application settings used while performing tasks on each client computer are defined in accordance with the group policy (see section "Relation between policies and local application settings" on page 18), task settings and the parameters of that application on the client computer.
Most of the settings are determined by the policy for the application performing a specific task. If modification of some values is locked in policy, they cannot be edited in task settings (see the figure below).
Figure 21. Task settings locked in a policy
However, some settings are individual for every task: task launch schedule, the account used to run a task, scan scope for on-demand scanning tasks, etc. Values for those settings are specified for every task and they can be changed after task creation (see the figure below).
Figure 22. Editing task properties. The Schedule tab
Tasks start in accordance with their schedule. Computers that are turned off at the time specified in the schedule, can boot up automatically using the Wake On LAN feature. To do that, the corresponding box (see the figure below) must be checked in the window that will open after clicking the Advanced button on the Schedule tab (see the figure above).

During the next stage, the administrator has to build a logical network, i.e., install the following Kaspersky Administration Kit components on networked computers, namely: 1. 2. 3. Install the Administration Servers on computers within the corporate network. Install the Administration Console on computers from which the administration will be provided. Make decision regarding assigning of the logical network administrators, determine which other user categories will interact with the system and assign a list of functions to be performed to each category. Create lists of users and grant to each group access rights required to perform functions assigned to this group and related to access rights.
Typical Schemes of Deployment of anti-virus protection
After this, it is required to create a hierarchy of the Administration servers and for each Server create a logical network structure as follows: create a hierarchy of the administration groups and distribute computers among the corresponding groups. During the next stage, you should install the Network Agent and selected Kaspersky Lab applications on client computers and install the corresponding administration plugins on the administrator workstation. If you use the remote installation option, the Network agent may be installed together with any application, in this case no separate installation of the Network agent is required. During the final step, you should configure the installed applications by assigning and applying group policies and creating tasks. Using the Quick Start Wizard, the administrator can easily build an anti-virus protection system for his/her network and perform minimum configuration. Briefly configuring the anti-virus protection system means creating a logical network identical to the domain structure of the Windows network and the anti-virus protection system based on versions 5.0 and 6.0 of Kaspersky Anti-Virus for Windows Workstations.
CHAPTER 3. INSTALLING KASPERSKY ADMINISTRATION KIT
Before starting the installation, make sure that the computer meets the software and hardware requirements to the Administration Server and the Administrator's workstation (see section 1.3 on page 9). MSDE (Microsoft Data Engine), MySQL server or Microsoft SQL server is used to store the Administration Server information. If no MSDE or SQL server is installed, you have to install one of them before installing the Administration Server. In order to do it, you can use the distribution packages you have. In order to install MSDE you can also use Kaspersky Administration Kit distribution package. The MSDE installation procedure from the Kaspersky Administration Kit is discussed in detailed below (see section 3.1 on page 15). For installation of Kaspersky Administration Kit the local administrator's rights are required for the computer on which the installation is performed. The setup wizard will offer you to install the application components of Kaspersky Administration Kit (the Administration Server and Administration Console) on the computer on which the setup wizard is run. Such configuration is recommended at the initial stage of creating the centralized administration system. All the required ports should be open on a host computer for installed application components to work properly. A listing of default ports used by Kaspersky Administration Kit is given in Table 1. Table 1 Port Number Protocol Description

Figure 3. Selecting the account
You can select one of two options:
Domain User account - the Administration Server will be started under the user account included into the domain. In this case the Administration Server will initiate all operations using the rights of this account and during the next stage you will be offered to specify the user whose account will be used. If a Windows domains structure has been created within the corporate network we recommend selecting the domain administrator's account in order to start the Administration Server. In the future it will allow to avoid configuring additional settings, for example, specifying account of a user who is granted with the domain administrator's rights when creating a deployment (remote installation) task (see section 0 on page 53).
Local System account - the Administration Server will be started under the System account with all rights granted to this account. In this case you do not select a user account and will switch directly to the stage where you will have to specify the recourse to store the Administration Server's information database. For the correct operation of Kaspersky Administration Kit it is mandatory that the account used to start the Administration Server is granted the rights of the administrator for the resource used to store the Administration Server's information database.
6. If you selected a domain's user account to start the Administration Server under, you will be offered to specify such user. In order to do it, in the User name field in the wizard window (see Figure 4) select the user name using the Browse button or enter this name manually out of names registered within the current domain. After this, enter the password used to register the user in the domain.

Figure 4. Selecting user

If you selected a user who does not have the domain administrator's rights, the Administration Server will be launched under his account, however the functionality of Kaspersky Administration Kit will be somewhat restricted. For example, it may not have the rights required to execute a deployment task using a launch scenario (see section 0 on page 53) and polling some domains of the Windows network. For the correct operation of the Administration server, the account used to launch it must have the following rights: Log on as a service; Act as part of the operating system; Access this computer from the network; Replace a process level token; Increase quotas/ Adjust memory quotas for a process.
If the user you selected is a domain administrator, but it does not have the rights listed above, such rights will be granted to this user (see Figure 5).

Figure 5. Message about rights granted to the user.
7. During the next stage you will be offered to define resourse Microsoft SQL server (MSDE) or MySQL (see Figure 6), that will be used to store the Administration Server information database.
Figure 6. Selecting the database
8. If during the previous stage you selected MSDE or Microsoft SQL server and you are planning to use a server installed within the corporate network to work with Kaspersky Administration Kit, indicate such server's name in the SQL server name and specify the name of the database that will be created to store the Administration Server data in the SQL server database name (see Figure 7). The default database name is KAV.
Value (local) will be automatically assigned to the Server name field if an SQL server is detected on the computer from which Kaspersky Administration Kist is being installed. To display the list of all Microsoft SQL servers installed in the network, press the Browse button. If the Administration Server will be started under the local administrator's account or under the system account, the Browse button will not be available.
Figure 7. Selecting SQL server
If during the previous stage MySQL server was selected, specify in this window (see Figure 8) its name in the MySQL server name field (by default IP address of the computer onto which Kaspersky Administration Kit is being installed will be used) and specify port to be used for connection in the Port field (the default port is 3306). In the MySQL server database name field specify the database name that will be created to store the Administration Server data (by default the database will be created under name KAV). If during the previous stage MySQL server was selected, specify in this window
Figure 8. Selecting MySQL server
If there are no SQL servers in the network and you cannot use them, you have to install one (see section 3.1 on page 15). If you wish to install an SQL server on the computer from which you are installing Kaspersky Administration Kit, you have to abort the installation and restart it after you have installed the SQL server. If you install Kaspersky Administration Kit onto a remote computer, it is not required to interrupt the Kaspersky Administration Kit installation wizard. Install the SQL server and return to the Kaspersky Administration Kit installation. 9. During this step you have to define the authentication mode to be used by the Administration Server to connect to the SQL server. For MSDE or Microsoft SQL server you can select of the following two options (see Figure 9). Microsoft Windows Authentication Mode - in this case the account used to start the Administration server will be used to verify the rights; SQL Server Authentication Mode - if you select this option, the account specified below will be used to verify the rights. Fill in the Account, Password and Confirm password fields.

If Administration Server Database is on another computer, you need to choose SQL server authentication mode when installing or updating an Administration Server.
Figure 9. SQL server authentication mode
For MySQL server indicate the account and the password (see Figure 10).
Figure 10. MySQL server authentication mode
10. After this (see Figure 11), specify the location to store the shared folder that will be used: to store files required for remote installation of applications (files will be copied to the Administration Servers when installation packages are created); to store the updates copied from the updates source to the Administration server.
This resource will be public to all users for reading only.
Figure 11. Creating a shared folder
You can select one of the following two options: Create new shared folder - to create a new folder; you will have to specify path to the folder in the field below. Select existing shared folder - in order to select a shared folder from the list of existing shared folders.
A public shared folder can be stored either locally, on the computer from which the installation is performed or remotely, on any of the computers included into the corporate network. A shared folder can be specified both using the Browse button, and manually by entering a UNC path (for example, \\server\KLShare) in the appropriate field.
By default a local folder KLShare will be created in the folder specified for installation of the Kaspersky Administration Kit application components. 11. Use the next wizard dialog to specify Administration Server address (cf. Figure 13) by setting: DNS name. This option is used when there is a DNS server on the network which clients can use to obtain Administration Server address. NetBIOS name. This option is used where clients obtain Administration Server address through the NetBIOS protocol or if there is a WINS server on the network. IP address. This option is used where the Administration Server has a static IP address which will not subsequently change.
If required, check Allow NetBIOS Name Service in Kaspersky Antivirus 6.0 Anti-Hacker. This will open UDP port 137 in Kaspersky Antivirus 6.0 Anti-Hacker installed on the host. This port is used to obtain Administration Server IP address.
Figure 12. Administration Server Address
12. After this configure settings to be used for connection to the Administration Server (see Figure 13);

Under the current version of Kaspersky Administration Kit the following Kaspersky Lab applications may be managed remotely: Workstation and file server protection: Kaspersky Antivirus 5.0 for Windows File Servers; Kaspersky Antivirus 6.0 for Windows Servers; Kaspersky Antivirus 5.0 for Windows Workstations; Kaspersky Antivirus 6.0 for Windows Workstations; Kaspersky Antivirus 5.0 Second Opinion Solution; Kaspersky Antivirus 5.7 for Novell NetWare;
Perimeter defense: Kaspersky Antivirus 5.6 for Microsoft ISA Server 2000 Enterprise Edition.
Mail server protection: Kaspersky Antivirus 5.5 for Microsoft Exchange Server 2000/2003, Planned Update 1; Kaspersky Security 5.5 for Microsoft Exchange Server 2003, Planned Update 1.
For detailed information on managing the above applications using Kaspersky Administration Kit see relevant application Manuals.
4.1. Remote software installation
Remote software installation can be performed from the administrator's workstation in the main application window of Kaspersky Administration Kit. Some Kaspersky Lab's applications can be installed only the client computers only locally (details see Guides to the corresponding applications). However, remote administration of these applications using Kaspersky Administration Kit will be available. In order to perform remote software installation: 1. Create an installation package (see section 0 on page 53). The structure of this package will include files required to install the application and the files that contain settings of the installation package.
Installation and Removal of Software on the Computers
Installation package contains file setup.exe using which the local installation of the application in non-interactive mode is performed. 2. Create remote installation task (see section 0 on page 53). In order to install the application on all computers in the logical network or several administration groups or on specific computers from various groups, you must create a global deployment (remote installation) task. In order to install the application on all computers of an administration group (including all nested groups and slave servers), you must create a group deployment (remote installation) task. You can use the deployment wizard (see section 4.2 on page 71) to create either a group or a global task. The task you create will be run according to the schedule. Application operation settings on each client computer will be configured based on the group policy and the default settings of the application. You can abort the installation process by manually interrupting execution of the task. All installation packages created for the Administration Server will be located on the console tree in a special container Remote Installation. On the Administration Server these installation packages will be stored in the specified shared folder in the service folder Packages. You can review the properties of the installation package, change its name and settings using the Properties: <Package Name> window (see Figure 20). This window opens using the Properties shortcut menu command or the analogous item in the Action menu. The installation packages created can be distributed on the slave Administration Servers (see section 4.1.4 on page 49) and on the computers within a group using the updating agents (see section 4.1.6 on page 51). One installation package can be reused many times to create deployment tasks. Applications may also be installed in non-interactive mode.

create an information message that will be displayed in an entry field to notify the user that the operating system must be restarted. specify a frequency of notifications about the operating system restart if the user cancelled the restart, by checking the Repeat prompt every (min.) box and specifying the interval for the message to be displayed;
specify automatic restart of the computer's operating system if it is not performed by the user within the specified time interval starting with the moment the application has been installed. In order to do it, check the Force the restart in (min.) box and specify the time interval.
If a locked computer needs to be rebooted, check Close Running Applications Automatically. By default this option is unchecked.
Figure 23. Installation package properties review window The Operating System restart tab
4.1.3. Creating and configuring the Network Agent installation package
The installation package for the remote installation of the Network Agent does not have to be created manually. It is created automatically during the installation of Kaspersky Administration Kit and located in the Remote installation node.
If the package for the remote installation of the Network Agent has been deleted, then in order to create it again, select file klnagent.kpd located in the NetAgent folder of the Kaspersky Administration Kit distribution package to be used as the file that contains the description The settings of the Network Agent installation contain a minimum set of settings required to ensure the functioning of the component immediately following its installation. The values of the settings match the values of the default application settings. If required, these can be changed using the Settings and the Administration Group tabs of the installation package properties window. The Settings tab (see Figure 21) contains settings used by the Network agent after it is installed on the client computers to connect to the Administration Server (by default, values of the current server will be used during the creation). Address of the computer on which the Administration Server is installed. Number of port used for unsecured connection to the Administration Server. By default port 14000 is used. If this port is busy, you can change it. Number of port used for secure connection to the Administration Server using SSL protocol. By default port 13000 is used. Only decimal representation is allowed. Certificate file for authentication of the access to the Administration Server. The value of this setting is determined by the Use the Server Certificate box. If the box is not checked by default, the certificate file will be automatically obtained from the Administration Server when the Agent connects to it for the first time. If the Use Server Certificate box is checked, authentication will be performed based on the certificate file specified using the Browse button. This file has extension.cer and is located in the Cert folder of the Kaspersky Administration Kit installation folder. You can change the certificate file by selecting the file you need using the Browse button. Which port will be used by the Network Agent to connection to the Server: simple or secure. The value of this setting is determined by the Use SSL connection box. If the box is checked, the connection is performed via a secure port using SSL protocol, if the box is unchecked, the connection is performed via an unsecured port. The proxy server connection settings. If a proxy server is used by the Network Agent to connect to the Server, check the Use proxy server

4.1.5. Creating a task for distribution of the installation package on the slave Administration Servers
In order to create the task for distribution of the installation package on the slave Administration Servers: 1. Connect to the Administration Server you need. 2. Select the Global tasks node in the console tree, open the shortcut menu and select the New Task command or use the analogous item in the Action menu. This will start the wizard. Follow its instructions. 3. For the Kaspersky Administration Kit application select the Packages retranslation task task type. 4. In the next wizard window (see Figure 25) select which installation packages must be distributed. Select one of the following options: All installation packages. Selected installation packages. In this case check boxes next to the names of the required installation packages in the table below.
Figure 25. Creating a set of installation packages
Specify the required value in the The maximum number of simultaneous downloads:. 5. In the next wizard window (see Figure 26) check boxes next to the names of the slave Administration Servers to which the installation packages must be distributed.
Figure 26. Selecting slave Administration Servers
6. In the next wizard window specify the task launch schedule (details see section 0 on page 53). 7. To exit the wizard when it is completed, press the Finish button.
4.1.6. Distribution of the installation packages within a group using network agents
In order to distribute installation packages within a group, you can use updating agents. The updating agents receive installation packages and updates from the Administration Server and save them in the Kaspersky Lab's application installation folder. The location of the folder that contains the updates and the installation packages cannot be changed; its size cannot be restricted. Later the installation packages will be distributed to the client computers using the multi-address delivery. Delivery of the new installation packages within a group is only performed once. If at the moment of the delivery a client computer was disconnected from the corporate logical network, then when the installation task is run the Network Agent will automatically download the required installation package from the updating agent.

Figure 29. Specifying the task type
After this, specify the installation package that will be installed during the execution of this task (see Figure 30). Select the required package from the packages created for the particular Administration Server or create a new package using the New button. Some applications that support administration via Kaspersky Administration Kit can be installed on the computers only locally. Detailed information see Guides to the corresponding applications.
Figure 30. Selecting the installation package for installation
During this stage select the Push install option (see Figure 31)
Figure 31. Selecting installation method
In this wizard window (see Figure 32) you will be offered to determine additional installation settings. Whether the application must be reinstalled if it has already been installed on the computer. Check the Do not install application if it is already installed box in order to prevent repeated installation (by default the box is checked). In this case for the computers on which the application is installed locally or as the result of previous scheduled launch of the remote installation task, the task will not be launched. If the box is unchecked, the remote installation task will be launched by scheduled until the maximum number of attempts to install the application has been reached. To specify the method for delivery of the files required to install the application on the client computers. In order to do it, perform the following in the Downloading the installation package group of fields:
Check the Using Microsoft Windows resources from public access folder box if you wish that the transfer of the files required to install the application to the client computers is performed using Windows tools and the shared folders (by default this box is checked). Check the Using Administration Agent box so that the files are delivered to the client computers by the Network Agent installed on each computer (by default this box is checked). In the The maximum number of simultaneous downloads field specify the maximum number of client computers that can download information from the Administration Sever.
Specify the number of attempts to perform the installation in case of a scheduled task launched by entering the required value in the Number of attempts field. Repeated attempts are made in case of an error during the execution in the course of the previous installation.

When selecting the application and the task type (see Figure 29), specify values Kaspersky Administration Kit and Deploy application to slave administration servers. Specify the installation package that will be installed during the execution of this task Check the Do not install application if it is already installed box in order to prevent repeated installation (by default the box is checked). This step is not available for a global task. Select Slave Administration Servers (Figure. 42) and make up a list of slave servers

5. 6. 7.

Figure 42. Creating a list of slave administration servers
Then create the schedule to launch the task
Figure 43. Application Deployment to slave administration servers task. Settings tab.
4.1.9. Remote software removal
In order to remotely remove the software: Create a task similarly to creation of a deployment task (see section 0 on page 53); select Remote application removal as the task type and select the required Kaspersky Lab's application from the Application to be removed drop-down list in the Application window (see Figure 44). In order to remove a third-party application, check the Third-party application and select the application to be removed. The drop-down list contains the list of applications detected on the computers of the logical networks after the Network Agent had been installed on these computers.
Figure 44. Selecting an application to be removed
The task you created will be run according to the schedule.

4.2. Deployment wizard

You can use deployment wizard to install Kaspersky Lab's applications. This wizard allows performing application deployment using the forced installation method using installation packaged created or directly from the distribution package. The wizard performs the following: creation of an installation package to install the application (if such package has not been installed earlier). The package is stored in the Remote installation node under the name that matches the name and the version of the application and can be used to install the application later. creation and launching of global and group deployment tasks. The task created will be located in the Global tasks or Group tasks folder of the group for which the task was created and can be manually run later. The name of the task matches the name of the package for the application installation: Installation <Name of the selected installation package>.

Kaspersky Corporate Suite provides comprehensive anti-virus protection for:
Workstations running Microsoft Windows 98/ME, Microsoft Windows NT/2000/XP Workstation and Linux; File servers running Microsoft Windows NT 4.0 Server, Microsoft Windows 2000, 2003 Server/Advanced Server, Novell Netware, FreeBSD, Linux; Samba file storage
Depending on the type of distribution kit.
E-mail systems, including Microsoft Exchange Server 2000/2003, Lotus Notes/Domino, sendmail, postfix , exim, and qmail mail systems Internet gateways: CheckPoint Firewall 1; Microsoft ISA Server 2000 Enterprise Edition, Microsoft ISA Server 2004 Enterprise Edition Hand-held computers (PDAs), running Symbian OS, Microsoft Windows CE and Palm OS, and also smartphones running Microsoft Windows Mobile 2003 for Smartphone and Microsoft Smartphone 2002.
Corporate Suite distribution kit includes Kaspersky The Kaspersky Administration Kit, a unique tool for automated deployment and administration.
You are free to choose from any of these anti-virus applications, according to the operating systems and applications you use. Kaspersky Anti-Spam Kaspersky Anti-Spam is a cutting-edge software suite that is designed to help organizations with small- and medium-sized networks wage war against the onslaught of unsolicited e-mail messages (spam). The product combines the revolutionary technology of linguistic analysis with modern methods of e-mail filtration, including DNS Black Lists and formal letter features. Its unique combination of services allows users to identify and wipe out up to 95% of unwanted traffic. Installed at the entrance to a network, where it monitors incoming e-mail traffic streams for spam, Kaspersky Anti-Spam acts as a barrier to unsolicited e-mail. The product is compatible with any mail system and can be installed on either an existing mail server or a dedicated one. Kaspersky Anti-Spams high performance is ensured by daily updates to the content filtration database adding samples provided by the Companys linguistic laboratory specialists. Databases are updated every 20 minutes. Kaspersky Security for Microsoft Exchange 2003 Kaspersky Security for Microsoft Exchange performs anti-virus processing of incoming and outgoing mail messages as well as messages stored at the server, including letters in public folders and filters out unsolicited correspondence using "smart" spam recognition techniques in combination with Microsoft technologies. The application scans all messages arriving at an Exchange Server via SMTP protocol checking them for the presence of viruses using Kaspersky Lab's antivirus technologies and for the presence of SPAM attributes. It filters out spam based on formal attributes (mail address, IP address, letter size, heading) and analyzes the content of messages and of their attachments using "smart' technologies, including unique graphic signatures for identifying graphic SPAM. The application scans both the message body and the attached files.

Software was designed (each, a Client Device). If the Software is licensed as a suite or bundle with more than one specified Software product, this license applies to all such specified Software applications, subject to any restrictions or usage terms specified on the applicable price list or application packaging that apply to any such Software applications individually. 1.1 Use. The Software is licensed as a single application; it may not be used on more than one Client Device or by more than one user at a time, except as set forth in this Section. 1.1.1 The Software is in use on a Client Device when it is loaded into the temporary memory (i.e., random-access memory or RAM) or installed into the permanent memory (e.g., hard disk, CD-ROM, or other storage device) of that Client Device. This license authorizes you to make only as many back-up copies of the Software as are necessary for its lawful use and solely for back-up purposes, provided that all such copies contain all of the Softwares proprietary notices. You will maintain records of the number and location of all copies of the Software and Documentation and will take all reasonable precautions to protect the Software from unauthorized copying or use. 1.1.2 If you sell the Client Device on which the Software is installed, you will ensure that all copies of the Software have been previously deleted. 1.1.3 You shall not decompile, reverse engineer, disassemble or otherwise reduce any party of this Software to a humanly readable form nor permit any third party to do so. The interface information necessary to achieve interoperability of the Software with independently created computer programs will be provided by Kaspersky Lab on request on payment of its reasonable costs and expenses for procuring and supplying such information. In the event Kaspersky Lab notifies you that it does not intend to make such information available for any reason, including (without limitation) costs, you shall be permitted to take such steps to achieve interoperability provided that you only reverse engineer or decompile to the extent permitted by law. 1.1.4 You shall not permit any third party to copy (other than as expressly permitted herein), make error corrections to, or otherwise modify, adapt, or translate the Software nor create derivative works of the Software. 1.1.5 You shall not rent, lease or lend the Software to any other person, nor transfer or sub-license your license rights to any other person. 1.1.6 You shall not use this Software in automatic, semi-automatic or manual tools designed to create virus signatures, virus detection routines, any other data or code for detecting malicious code or data. 1.2 Server-Mode Use. You may use the Software on a Client Device or on or as a server (Server) within a multi-user or networked environment (ServerMode) only if such use is permitted in the applicable price list or application

Appendix C

packaging for the Software. A separate license is required for each Client Device or seat that may connect to the Server at any time, regardless of whether such licensed Client Devices or seats are concurrently connected to or actually accessing or using the Software. Use of software or hardware that reduces the number of Client Devices or seats directly accessing or utilizing the Software (e.g., multiplexing or pooling software or hardware) does not reduce the number of licenses required (i.e., the required number of licenses would equal the number of distinct inputs to the multiplexing or pooling software or hardware front end). If the number of Client Devices or seats that can connect to the Software exceeds the number of licenses you have obtained, then you must have a reasonable mechanism in place to ensure that your use of the Software does not exceed the use limits specified for the license you have obtained. This license authorizes you to make or download such copies of the Documentation for each Client Device or seat that is licensed as are necessary for its lawful use, provided that each such copy contains all of the Documentation proprietary notices. 1.3 Volume Licenses. If the Software is licensed with volume license terms specified in the applicable application invoicing or packaging for the Software, you may make, use or install as many additional copies of the Software on the number of Client Devices as the volume license terms specify. You must have reasonable mechanisms in place to ensure that the number of Client Devices on which the Software has been installed does not exceed the number of licenses you have obtained. This license authorizes you to make or download one copy of the Documentation for each additional copy authorized by the volume license, provided that each such copy contains all of the Documents proprietary notices. 2. Duration. This Agreement is effective for the period specified in the Key File (the unique file which is required to fully enable the Software, please see Help/ about Software or Software about, for Unix/Linux version of the Software see the notification about expiration date of the Key File) unless and until earlier terminated as set forth herein. This Agreement will terminate automatically if you fail to comply with any of the conditions, limitations or other requirements described herein. Upon any termination or expiration of this Agreement, you must immediately destroy all copies of the Software and the Documentation. You may terminate this Agreement at any point by destroying all copies of the Software and the Documentation. 3. Support.
(i) Kaspersky Lab will provide you with the support services (Support Services) as defined below for a period of one year following: (a) payment of its then current support charge, and;

(b) successful completion of the Support Services Subscription Form as provided to you with this Agreement or as available on the Kaspersky Lab
website, which will require you to produce the Key Identification File which will have been provided to you by Kaspersky Lab with this Agreement. It shall be at the absolute discretion of Kaspersky Lab whether or not you have satisfied this condition for the provision of Support Services. (ii) Support Services will terminate unless renewed annually by payment of the then-current annual support charge and by successful completion of the Support Services Subscription Form again. (iii) By completion of the Support Services Subscription Form you consent to the terms of the Kaspersky Lab Privacy Policy which is attached to this Agreement, and you explicitly consent to the transfer of data to other countries outside your own as set out in the Privacy Policy. (iv) (a) (b) Support Services means Daily updates of anti-virus database; Free software updates, including version upgrades;
(c) Extended technical support via E-mail and phone hotline provided by Vendor and/or Reseller; (d) Virus detection and curing updates in 24-hours period.
4. Ownership Rights. The Software is protected by copyright laws. Kaspersky Lab and its suppliers own and retain all rights, titles and interest in and to the Software, including all copyrights, patents, trademarks and other intellectual property rights therein. Your possession, installation, or use of the Software does not transfer any title to the intellectual property in the Software to you, and you will not acquire any rights to the Software except as expressly set forth in this Agreement. 5. Confidentiality. You agree that the Software and the Documentation, including the specific design and structure of individual programs and the Key Identification File constitute confidential proprietary information of Kaspersky Lab. You shall not disclose, provide or otherwise make available such confidential information in any form to any third party without the prior written consent of Kaspersky Lab. You shall implement reasonable security measures to protect such confidential information, but without limitation to the foregoing shall use best endeavors to maintain the security of the Key Identification File. 6. Limited Warranty