We are looking to deploy Kaspersky Workstation to our network which is a non-Windows workstation and where we block all Windows file sharing. From looking at the Administration Kit, it looks as though it is geared towards Windows networks. Further playing around with the admin kit, it looks like to install the agent and the workstation av to our computers, we would have to allow Windows file sharing which really isn't an option. Digging around in the directory structure on the admin server, I found the installation files for the agent and the workstation and was able to install them locally without the remote install. My problem now is that it looks like there has to be an account on the system that has a common username and password across all of the computers on our network to run any of the tasks. Which, to me, is a security flaw since it is so very easy to crack the windows passwords. Am I missing something or is this really the only option?
Thanks for your time and input.
Full Version: Options for a non-Windows Network
Once you have Network Agent installed on clients, you don't need to worry about user accounts and passwords to run update or scan task.
You would need an common user and password for all computers if you would remotely deploy an app without the agent.
Updates are distributed via file sharing to your clients, that would be a problem for you.
You would need an common user and password for all computers if you would remotely deploy an app without the agent.
Updates are distributed via file sharing to your clients, that would be a problem for you.
I have to say, that makes it very difficult for those of us who aren't in a windows environment.
Surely someone has over came this issue before. Is file sharing and Windows networking the only way?
Thanks for your response by the way.
Surely someone has over came this issue before. Is file sharing and Windows networking the only way?
Thanks for your response by the way.
I didn't understand yet what you mean with "non-Windows environment"...
Is your network based on workgroups or domain? Don't you have Microsoft Windows computers?
Is your network based on workgroups or domain? Don't you have Microsoft Windows computers?
By a non-Windows network, by which I mean we do not allow windows file sharing, we do not have Active Directory nor Domain Servers, we have a Novell network.
I spoke with a Kaspersky tech earlier today, and he said that we must have a predefined username and password on all machines that will need to have a task pushed to it. He also said to update the clients, we have to allow Windows File Shares and that there is no other way unless we want our clients to go directly to Kaspersky.
It looks as though we will not be able to make the switch to Kaspserky due to the reliance on Windows File Sharing which we are hesitant to allow and having a username/password on all machines, which to me, seems to be a huge security risk. It's really disappointing to see such a great AV product have such a poor administration program.
I spoke with a Kaspersky tech earlier today, and he said that we must have a predefined username and password on all machines that will need to have a task pushed to it. He also said to update the clients, we have to allow Windows File Shares and that there is no other way unless we want our clients to go directly to Kaspersky.
It looks as though we will not be able to make the switch to Kaspserky due to the reliance on Windows File Sharing which we are hesitant to allow and having a username/password on all machines, which to me, seems to be a huge security risk. It's really disappointing to see such a great AV product have such a poor administration program.
Username and password are only needed when deploying applications remotelly.
You don't need common username and password for scan and update tasks after you got Network Agent installed on the client computer.
But, you DO need windows file sharing for updates. Not a big deal, it's a shared folder with updates, nothing more.
Without this, how could client computers update if not from Internet?
You don't need common username and password for scan and update tasks after you got Network Agent installed on the client computer.
But, you DO need windows file sharing for updates. Not a big deal, it's a shared folder with updates, nothing more.
Without this, how could client computers update if not from Internet?
They could update their definitions via another protocol such as HTTP or FTP like other AV products.
Also, you say that a username/password is not needed, but when I create a task, it specifically asks me for a username and password or use the default one.
Also, you say that a username/password is not needed, but when I create a task, it specifically asks me for a username and password or use the default one.
Yes, HTTP or FTP could be an option.
Let it use default. It will use the same account that is used to start Kaspersky Admininistration Server's service, in your case Local System Account.
Let it use default. It will use the same account that is used to start Kaspersky Admininistration Server's service, in your case Local System Account.
QUOTE(Gravity Gripp @ 15.04.2008 19:11) 
By a non-Windows network, by which I mean we do not allow windows file sharing, we do not have Active Directory nor Domain Servers, we have a Novell network.
I spoke with a Kaspersky tech earlier today, and he said that we must have a predefined username and password on all machines that will need to have a task pushed to it. He also said to update the clients, we have to allow Windows File Shares and that there is no other way unless we want our clients to go directly to Kaspersky.
It looks as though we will not be able to make the switch to Kaspserky due to the reliance on Windows File Sharing which we are hesitant to allow and having a username/password on all machines, which to me, seems to be a huge security risk. It's really disappointing to see such a great AV product have such a poor administration program.
I spoke with a Kaspersky tech earlier today, and he said that we must have a predefined username and password on all machines that will need to have a task pushed to it. He also said to update the clients, we have to allow Windows File Shares and that there is no other way unless we want our clients to go directly to Kaspersky.
It looks as though we will not be able to make the switch to Kaspserky due to the reliance on Windows File Sharing which we are hesitant to allow and having a username/password on all machines, which to me, seems to be a huge security risk. It's really disappointing to see such a great AV product have such a poor administration program.
1. To deploy Kaspersky Network Agent in your environment, I recommend you to use login script for Novell domain to install Kaspersky Network Agent on the client computers. Another option is to have Kaspersky Network Agent installation package on the shared folder of HTTP server and to make users start installation package in the silent mode (for example, by sending an e-mail).
2. When you have Kaspersky Network Agent on the client computers, there is no need for any Windows protocols to manage client computers. You can deploy and update and manage client computers using connection between Network Agent and administration server.
1. Installation of the programs won't be an issue.
2. If this is true, then why would I need to specify a "Default Account" or to specific username when creating a task to be pushed out? What should i put for these entries when creating a new task? The last time I tried to push out an update to a client via a task, it would not work until I specified a username and password that was on the machine. The network agent was on the machine at the time. Was I doing something wrong?
2. If this is true, then why would I need to specify a "Default Account" or to specific username when creating a task to be pushed out? What should i put for these entries when creating a new task? The last time I tried to push out an update to a client via a task, it would not work until I specified a username and password that was on the machine. The network agent was on the machine at the time. Was I doing something wrong?
QUOTE(Gravity Gripp @ 17.04.2008 08:14)
2. If this is true, then why would I need to specify a "Default Account" or to specific username when creating a task to be pushed out? What should i put for these entries when creating a new task? The last time I tried to push out an update to a client via a task, it would not work until I specified a username and password that was on the machine. The network agent was on the machine at the time. Was I doing something wrong?
You don't need to specify any account. In your case "Default Account" will be used. It means that Kaspersky Network Agent will work under Local System account all the time.
Do you have correct connection between Network Agent and administration server? Please use klnagchk utility to check connection. Information below should help:
http://support.kaspersky.com/ak6mp1/error?qid=208279222
http://support.kaspersky.com/ak6mp1/error?qid=208279223
In case you have correct connection between Network Agent and administration server AND the source of updates in the download updates task properties is "Kaspersky Administration Server", then updating clients from administration server should work OK. In case it is not, please see task history and post it here.
Regarding deploying the agent via the login script, is there a way to make a single executable that already has the server information in it?
run:
"\\your_server\KLSHARE\Packages\NetAgent 6.0.1572\lsexec.exe" /S
or the respective directory to your Agent folder
"\\your_server\KLSHARE\Packages\NetAgent 6.0.1572\lsexec.exe" /S
or the respective directory to your Agent folder
I appreciate your guys help with this matter and I have gotten most of it working 
Now, I just have one more question and I should be set. Is there a way to automatically place new computers into a group?
I've set the "Administration Group" on the network install to what I want it to be but it doesn't seem to place them in the group.
Thanks.
Now, I just have one more question and I should be set. Is there a way to automatically place new computers into a group?I've set the "Administration Group" on the network install to what I want it to be but it doesn't seem to place them in the group.
Thanks.
Alright, now I'm having a problem. I've wrote a install script that will install the network agent and the workstation. Both install fine and I reboot. On reboot, I check the server and the computer has not shown up. If I run the agent check as described in the above post, everything checks out (see below). Any idea on why it wouldn't be showing up on the server?
CODE
Starting utility 'klnagchk'...
Checking command line options...OK
Initializing basic libraries...OK
Current host is WORKGROUP\USER-F8F12341
Reading the settings...OK
Settings verification...OK
Network Agent settings:
Administration Server address: 'severhost'
Use SSL connection: 1
Numbers of the Administration server SSL ports: '13000'
Numbers of the Administration server ports: '14000'
Administration Server certificate: available
Use proxy server: 0
Open UDP port: 1
Numbers of UDP ports: '15000'
Synchronization period, min.: 15
Connection timeout, sec.: 30
Send/receive timeout, sec.: 180
Attempt to connect to the Administration server...OK
Attempt to connect to the Network Agent...OK
Administration Agent is running
Receiving the Network Agent's statistical data...OK
Network Agent's statistical data:
Total number of synchronization requests: 1
The number of successful synchronization requests: 1
Total number of synchronizations: 1
The number of successful syncrhonizations: 1
Date/time of the last request for synchronization:4/18/2008 2:39:19 PM GMT (4/18
/2008 10:39:19 AM)
Deinitializing basic libraries...OK
Checking command line options...OK
Initializing basic libraries...OK
Current host is WORKGROUP\USER-F8F12341
Reading the settings...OK
Settings verification...OK
Network Agent settings:
Administration Server address: 'severhost'
Use SSL connection: 1
Numbers of the Administration server SSL ports: '13000'
Numbers of the Administration server ports: '14000'
Administration Server certificate: available
Use proxy server: 0
Open UDP port: 1
Numbers of UDP ports: '15000'
Synchronization period, min.: 15
Connection timeout, sec.: 30
Send/receive timeout, sec.: 180
Attempt to connect to the Administration server...OK
Attempt to connect to the Network Agent...OK
Administration Agent is running
Receiving the Network Agent's statistical data...OK
Network Agent's statistical data:
Total number of synchronization requests: 1
The number of successful synchronization requests: 1
Total number of synchronizations: 1
The number of successful syncrhonizations: 1
Date/time of the last request for synchronization:4/18/2008 2:39:19 PM GMT (4/18
/2008 10:39:19 AM)
Deinitializing basic libraries...OK
QUOTE(Gravity Gripp @ 18.04.2008 10:06)
I appreciate your guys help with this matter and I have gotten most of it working Now, I just have one more question and I should be set. Is there a way to automatically place new computers into a group?
I've set the "Administration Group" on the network install to what I want it to be but it doesn't seem to place them in the group.
Thanks.
Now, I just have one more question and I should be set. Is there a way to automatically place new computers into a group?I've set the "Administration Group" on the network install to what I want it to be but it doesn't seem to place them in the group.
Thanks.
Yes, see page 44 and 45, function Move computers from domain, Active Directory group or IP subnet:
http://dnl-eu8.kaspersky-labs.com/docs/eng..._admguideen.pdf
QUOTE(Gravity Gripp @ 18.04.2008 11:46)
Alright, now I'm having a problem. I've wrote a install script that will install the network agent and the workstation. Both install fine and I reboot. On reboot, I check the server and the computer has not shown up. If I run the agent check as described in the above post, everything checks out (see below). Any idea on why it wouldn't be showing up on the server?
First, try looking for it inside Network folder and Groups folder using Find computer option in the context menu. Try searching by name or IP Address.
If it doesn't shows up, check if 'serverhost' and 'user-f8f12341' are in the same subnet. If not, right-click Network folder, go to View - IP Subnet and add the subnet of 'user-f8f12341'. Wait a few minutes and search for it inside the new subnet.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.