Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Problem
You may use images with installed KEA that are distributed to multiple devices, or some hardware vendors (ACER) do not comply with standards and sell hardware with non-unique BIOS IDs, etc.
As a result, a telemetry from different agents may end up merged into a single record.
Symptoms
Certain hostnames are present in KATA alerts, but search returns 0 events. Mo
As stressed in the product documentation, Sandbox, which is deployed as a Virtual Machine, should have an exact sizing, violation of which may lead to various issues. The only parameter that can be varied is a CPU clock rate.
Common mistake
The most notable mistake regarding scaling up VM sandboxes is an attempt to make one huge Sandbox VM with two to four times the required RAM/CPU as dedicated resources.
Correct approach is to create a respective number of additional VM
In order to upgrade KATA from 3.7.2 to 4.0 > 4.1 > 5.0 > 5.1 > 6.0 please follow the manual below.
Step-by-step guide
Prior to PCN upgrade you have to disconnect all Sensors, SCNs and Sandboxes.
After upgrade Sandboxes and Sensors must be reinstalled, disconnected SCNs – upgrade to 4.0 and 4.1 and then reconnect them to PCN.
Upgrade order described here - https://support.kaspersky.com/KATA/4.0/en-US/198801.htm
Problem description:
After generating the client certificate on central node and upload it to KES policy, you can get the below error:
Enter a crypto-container password to use the certificate.
Note: If you are using KEA as a standalone product with KEA policy, you can upload the client certificate properly.
Root cause:
By default, the cryptographic container is not password-protected. The cryptographic container contains only the certificate file, but not the priva
Description and cautions
KSN connection error on KATA web may appear.
Details
It could be fixed unless you don't have permanent KSN errors, you have to check it in ksn_proxy.log DEBUG level. Key word is ErrCount. If you don't see Errcount: 0 in log, then you don't have access to our KSN servers which are:
*.ksn.kaspersky-labs.com
ksn-*.kaspersky-labs.com
ds.kaspersky.com
2. In order to fix this web error do as below
For KATA 4.0/4.1
Don't forget to install 6.0.1 and 6.0.2 patch, which fixes some bugs in ICAP integration.
Description and cautions
Since we have new ICAP working modes, presented in KATA 6.0 - https://support.kaspersky.ru/KATA/6.0/en-US/247269.htm , we would like to show you, how to configure such integration on example of squid proxy server.
Added ICAP integration with feedback. ICAP integration with feedback can work in two modes:
Standa
As stressed in the product documentation, Sandbox, which is deployed as a Virtual Machine, should have an exact sizing, violation of which may lead to various issues. The only parameter that can be varied is a CPU clock rate.
Common mistake
The most notable mistake regarding scaling up VM sandboxes is an attempt to make one huge Sandbox VM with two to four times the required RAM/CPU as dedicated resources.
Correct approach is to create a respective number of additional VM
Versions
Applicable to versions later than 5.0, 5.1, 6.0, 6.0.1, etc.
Problem
There are several cases where the standard method of changing interface network settings via the Web UI is not available, e.g. the Web UI is inaccessible.
Solution
Become root, save the nodes settings:
sudo su
console-settings-updater get /deploy/deployment_api/nodes | python3 -m json.
Second part of this article is also applicable to KSB 2.0, details about it below.
It's rather hard to understand if malware channel works on KATA Sandbox or not. Here's a simple and reliable way of doing it.
Step-by-step guide
Create a .bat script with commands that you would normally execute in console to check internet connection - like ping or tracert, - and redirect commands output to file. Here's the example of such script.
Upload this script to Storage and wa
This article is fully applicable to KSB 2.0 server as well
You may want to gather KATA Sandbox diagnostics via SSH, without accessing Web UI. Here's how to do it.
Step-by-step guide
Login to Sandbox via SSH and become root. Then, execute the command:
Produce collect
sb-logs --create '/tmp' '-7'
chmod 777 /tmp/sandbox-debug-report*
Versions
Applicable to versions above 5: 5.0, 5.1, 6.0, 6.0.1, etc.
You can fancy access log-history logs (former apt-history) directly for convenience purposes or if the kata-collect-siem-logs tool is malfunctioning for some reason.
These logs are in gzip, sorted by dates, as files with names in format: /data/volumes/s3proxy/log-history/YYYY-MM-DD-HH-MM-SS, where YYYY-MM-DD-HH-MM-SS is the datetime.
basename -a /data/volumes/s3proxy/log-history/2024*
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Problem Description, Symptoms & Impact
It is not possible to use a proxy server for KATA 5.0 and/or KATA 5.1 CN on TCP ports 8080, 8090 or 8091. If you will configure in KATA 5.0/5.1 proxy server connection settings using one of those ports, then such configuration will result in KATA update task failure and KSN connection errors right after those settings will be applied.
This happens due to t
1.1. Scenario:
KATA/EDR CN is deployed on site, and there are some remote users that cannot connect to the internal network, and you want to receive the EDR telemetry from those endpoints and laptops when they are outside the network (considering that you don't have any VPN functionality).
You don't want to expose the CN on the internet, so you'd like to use the sensor to relay the telemetry to the CN and have visibility on the endpoints.
1.2. Pre-requisites and configuration step
Description and cautions
This article may be useful in certain cases, when you see that virtual machines running on the KATA Sandbox can not access internet using the properly configured malware interface. One can notice the issue based on several symptoms, such as VM activation errors, samples sent to Sandbox for processing not accessing internet, etc... We recommend to use the following article to check if the malware channel works properly on the KATA Sandbox server or not:
https://
The scenario is applicable for KEA version 3.10 and above.
There is no built-in feature to perform Yara-scan using KATA/EDR Expert 3.7.2. But if necessary, it's possible to perform it using KEA 3.10 and above.
Yara-scan using the Command line
Requirements:
KEA 3.10 (and above) installed
Files with Yara-rules (*.yara; *.yar)
Scenario:
Ensure that KEA is installed and running;
Run the Yara-scan
This works an all KATA CN versions from 3.6.1 to 5.1
You can execute the queries below with Curl to get the text representation of agent status. SSO login and password must be used, limit of 200 entries is used in the example query.
JSONs with agent status
curl -s --output /dev/null -c ./cookie -k -X POST -H 'Content-Type: application/json' -d '{"username":"SSO","password":"MYPASSWORD","local":false
The article is applicable to KEA 3.x (any cf) as part of [KATA+]EDR solution.
1.1. Problem
Some hosts (usually server, eg. Windows Server 2012 R2) will not appear in CN dashboard after being configured using correct settings, including a valid TLS certificate. In the known case, such Endpoint Agents were configured locally using the command line, not via policy; however, we were able to verify that the same configuration led to successful connection on most hosts.
During trou
Description and cautions
This is short article about how to burn KATA ISO on USB drive.
For KATA 4.0/4.1 you need 8Gb USD drive, for 5.0/5.1 - 16Gb at least.
3d party solutions are involved, therefore success is not guaranteed. Ventoy is more preferable working method.
Details
Download latest Rufus release or Ventoy, how to use Ventoy described here or Balena http:// https://etcher.balena.io/
[Rufus part] Open it and select respective KATA IS
Here's how to change web UI certificate for KATA SB.
Create backup of original files with same rights as it was before (you can check them with ll /etc/nginx/ssl command)
cp -p /etc/nginx/ssl/server.crt /etc/nginx/ssl/server.crt.orig
cp -p /etc/nginx/ssl/server.key /etc/nginx/ssl/server.key.orig
Rep
Issue
In KATA 4.1, when Central Node was used as Sensor, it was possible to access Traffic Capture and disable protocol, e.g SMTP.
CN-Sensor - https://support.kaspersky.com/help/KATA/4.1/en-US/199500.htm
Standalone Sensor - https://support.kaspersky.com/help/KATA/4.1/en-US/199500_1.htm
In KATA 5.0, this possibility is missing from docs and from CN and only available on Standalone Sensor:
Solution
Workaround is to use CLI and access pre
To create a Certificate Signing Request file using the openssl utility:
1. Prepare a file named sandbox.config with the following contents:
[req]
default_bits=2048
prompt=no
default_md=sha256
req_extensions=req_ext
distinguished_name=dn
[dn]
C=AE
ST=North
L=Dubai
O=ABC LAB
OU=IT Security
emailAddress=security@abc.lab
CN=katasb.abc.lab
[req_ext]
sub
KATA Sandbox provides instruments to manage SB images, ISO files, and VM Slots number via CLI. For details, see below.
Slots
Sometimes, it is convenient to change a slot number via CLI. To do so, become a root user and run:
/opt/kaspersky/sandbox/bin/sandbox-slots-setup <number of slots>
Change slots number via CLI
# /opt/kaspersky/sandbox/bin/sandbox-slots-setup 12
Description and cautions
One may need to change the admin account's password (the account used for SSH login).
KATA 5.0
For KATA 5.0 this article is not applicable. No option to change Local Administrator/ Cluster Administrator in pseudo-graphic menu available by default in 5.0 See https://forum.kaspersky.com/topic/how-to-reset-kata-web-administrator-password-in-kata-50-katakedre-36844/
Details
In case of standalone Central node:
Login to the web-i
Collect script output is a must for most KATA-related issues and questions.
Which information?
Which file?
How to find/interpret?
Example
КАТА version and role: CN/PCN/SCN/Sensor
/config/apt-va
File contains the version and role in human-readable form. Al
As the first step of troubleshooting of KEA, we recommend installing the latest core patch.
However, sometimes such installation will fail. There are two popular causes of this:
EULA is not accepted;
KEA installation is protected with a password.
This guide addresses both of these issues.
# in Password Symbol
Due to limitations in KSC, when creating a custom package for remote deployment in KSC, or editing package configuration file (.kpd) directly,
