Jump to content

About this blog

Entries in this blog

How to renew KEA unique identifier on cloned devices [Kaspersky Endpoint Agent]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.   Problem You may use images with installed KEA that are distributed to multiple devices, or some hardware vendors (ACER) do not comply with standards and sell hardware with non-unique BIOS IDs, etc. As a result, a telemetry from different agents may end up merged into a single record. Symptoms Certain hostnames are present in KATA alerts, but search returns 0 events. Mo

svc_kms

svc_kms in How-to

How to manage VMs, images, and slots via CLI in KATA SB [KATA/KEDRE]

KATA Sandbox provides instruments to manage SB images, ISO files, and VM Slots number via CLI. For details, see below. Slots Sometimes, it is convenient to change a slot number via CLI. To do so, become a root user and run:  /opt/kaspersky/sandbox/bin/sandbox-slots-setup <number of slots> Change slots number via CLI # /opt/kaspersky/sandbox/bin/sandbox-slots-setup 12

svc_kms

svc_kms in How-to

KATA 4+ SSO problems for users with too many AD groups [KATA/KEDRE]

Problem When user is added to a lot of AD groups, he may be unable to login to web interface of KATA via SSO. Step-by-step guide Modify /etc/opt/kaspersky/apt-swarm/swarm_config.json like this (set buffer_size to 65535 under uwsgi section - it's on bottom of the file)      2.  Execute via SSH  apt-settings-manager get /configuration/web_backend | python -m json.tool > /tmp/web_backend

svc_kms

svc_kms in Known Problem

Sandbox-debug-report larger than 1Gb fails to download from WebUI [KATA Sandbox]

Problem Description, Symptoms & Impact When downloading large collects (sandbox-debug-report) exceeding 1Gb in size, download suddenly fails above 1Gb (at ~1 05x xxx KB). Diagnostics Reproducible in all browsers, is not bound to download speed, dowloaded part size is roughly 1Gb Workaround & Solution Workaround: download sandbox-debug-report using SCP and CLI, see  https://forum.kaspersky.com/topic/how-to-gather-sandbox-debug-report-from-terminal-katakedre-36851/

svc_kms

svc_kms in Known Problem

Certified LENA 3.12 is not updating [Kaspersky Endpoint Agent]

Issue "Databases and modules update task" is configured for hosts with LENA 3.12 installed. Task is executed via KSC. Diagnostics "Activate KEA" task is configured for the hosts with LENA or has been configured and deleted in the past. An update is executed locally, using lenactl works. KLNagent successfully synchronizes with the server. Other installed applications (e.g. KESL) display no synchronization issues. Workaround To fix the issue:

svc_kms

svc_kms in Known Problem

How to monitor KATA system health [KATA/KEDRE]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. How to monitor KATA system health such as CPU, HDD, Memory usage, services status and etc? How to output this information? Locally, monitoring product operation and component health can be done in KATA dashboard. CPU, memory or similar metrics can be viewed using built-in Linux tools in support mode. Available remote monitoring options are: Using SNMP Hearbeats in SIEM integration

svc_kms

svc_kms in How-to

How to check KEA bases version [Kaspersky Endpoint Agent]

Configuring KEA update task is of crucial importance. Updated KATA telemetry filters, exclusions and performance optimizations are delivered via bases. However, KEA has no transparent means to check bases version locally. The solution to this demand is to check bases version locally via CLI. KEA for Windows bases date From Elevated Command Prompt, execute: type "C:\ProgramData\Kaspersky Lab\En

svc_kms

svc_kms in How-to

Registry branches that are scanned by the IoC task [Kaspersky Endpoint Agent]

When creating an IoC scan task, only the following registry branches are scanned. <field name="predefined_keypaths" type="wstring" multi-valued="yes" default-value=                '{                   LR"(HKEY_CLASSES_ROOT\htafile)",                   LR"(HKEY_CLASSES_ROOT\batfile)",                   LR"(HKEY_CLASSES_ROOT\exefile)",                   LR"(HKEY_CLASSES_ROOT\comfile)",                   LR"(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa)",           

svc_kms

svc_kms in Known Problem

How to configure Single-Sign-On For KATA 4.1/5+/6+ [KATA/KEDRE]

There is an example of a step-by-step instruction to configure Single-Sign-On (SSO) for KATA 4.1/5+/6+ into HOME.LAB domain. Prerequisites Deployed Central Node Server Name should be FQDN. (In current case FQDN name of Central Node - kata-cn.home.lab)  It can be checked via Settings/Network Settings of Central Node. A and PTR record should be set for Central Node in DNS. Domain User Account should be created to set up Kerberos authentication by means of keytab f

svc_kms

svc_kms in How-to

How to use certificate chain for Web UI [KATA/KEDRE]

You may want to have full certificate chain for KATA Web UI. Here's how to do it. Step-by-step guide Preparing the certificate chain for use in nginx_gateway configuration We start with full certificate chain in familiar form. Please note that certificate chain should contain desired intermediate authorities' public keys. Do not add private key to the chain. First of all, we transfer it to the Central Node. It's recommended to do all further actions on Central Node, as in dif

svc_kms

svc_kms in How-to

How to disable mandatory amount of VM images KATA SB 4.1/5.0 [KATA/KEDRE]

You may not want to use all 3 or 4 (depends on settings at web set) VMs in KATA 4.1/5.0 SB. If one of the VM images is not installed, there will be SB self-diagnostics error at the KATA web-interface. Usually it's WinXP image that gets excluded. This article is applicable only to KATA 4.1/5.0 Images names for 4.1: CentOS7_x64, WinXP, Win7_x64, Win10_x64 Images names for 5.0: Astra_x64, CentOS7_x64, WinXP, Win7_x64, Win10_x64 KATA

svc_kms

svc_kms in How-to

KATA 4.0: Nessus complains about weak KEX [KATA/KEDRE]

Problem After "Nessus" vulnerability scanning on Central node 4.0 servers, you may see the following: Ports: 22-tcp   Description: The remote SSH server is configured to allow key exchange algorithms which are considered weak. This is based on the IETF draft document Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH) draft-ietf-curdle-ss

svc_kms

svc_kms in Known Problem

KATA: KEA tasks FAQ [KATA/KEDRE]

What is the default synchronization period between KEA and CN? Sync period (which is every X minutes) for KEA is configurable in KEA policy. Default synchronization period is 300 sec (5 min). The same period applies to LENA. What is the isolation workflow? In KATA CN creates task for host isolation. KEA receives an 'isolate' command from the Central Node during synchronization . An agent turns on host isolation with exclusions configured in KEA policy. At the

svc_kms

svc_kms in Known Problem

How to get Endpoint Agent lists and statuses from CLI [KATA/KEDRE]

This works an all KATA CN versions from 3.6.1 to 5.1 You can execute the queries below with Curl to get the text representation of agent status. SSO login and password must be used, limit of 200 entries is used in the example query. JSONs with agent status curl -s --output /dev/null -c ./cookie -k -X POST -H 'Content-Type: application/json' -d '{"username":"SSO","password":"MYPASSWORD","local":false

svc_kms

svc_kms in How-to

KSMG and KATA 4.0/4.1 integration: private fix [KATA/KEDRE]

KATA 4.0/4.1 is compatible with KSMG 2.0, KSMG 1 and KLMS 8.0.3. Second thing to notice is that KSMG integration has a few bugs on KATA side. Thankfully, all known issues are fixed in a PF, which is recommended for all who integrate KSMG/KLMS and KATA4. KATA4.0 Step-by-step guide Download container with fix. file_name : kata_scanner_35f8753e6d.tar.gz md5 :  2adb09c0bd13dfc03c6a5c8980dde4ff container_name:  kata_scanner container_version:  kata_scanner:35f8753e6

svc_kms

svc_kms in Known Problem

How to upgrade KATA 3.7.2 > 4.0 > 4.1 > 5.0 > 5.1 > 6.0 > 6.1 [KATA/KEDRE]

In order to upgrade KATA from 3.7.2 to 4.0 > 4.1 > 5.0 > 5.1 > 6.0 please follow the manual below.   Step-by-step guide Prior to PCN upgrade you have to disconnect all Sensors, SCNs and Sandboxes. After upgrade Sandboxes and Sensors must be reinstalled, disconnected SCNs – upgrade to 4.0 and 4.1 and then reconnect them to PCN. Upgrade order described here - https://support.kaspersky.com/KATA/4.0/en-US/198801.htm

svc_kms

svc_kms in How-to

How to test malware interface on KATA Sandbox [KATA/KEDRE]

Second part of this article is also applicable to KSB 2.0, details about it below. It's rather hard to understand if malware channel works on KATA Sandbox or not. Here's a simple and reliable way of doing it. Step-by-step guide Create a .bat script with commands that you would normally execute in console to check internet connection - like ping or tracert, - and redirect commands output to file. Here's the example of such script. Upload this script to Storage and wa

svc_kms

svc_kms in How-to

KEA 3.9 -> 3.1x: Upgrade procedure [Kaspersky Endpoint Agent]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. OS restart will be requested If you upgrading KEA above 3.11 version. About This article contains the best way of upgrading KEA 3.9 to the last KEA version avoiding possible known issues. Procedure Disable Password-protection and Self-Defense in KEA policy, lock the settings. Ensure that policy is applied on all devices. Upgrade KEA plug-in on the KSC side. Recreate

svc_kms

svc_kms in Known Problem

How to perform Yara-scan using KEA [Kaspersky Endpoint Agent]

The scenario is applicable for KEA version 3.10 and above. There is no built-in feature to perform Yara-scan using KATA/EDR Expert 3.7.2. But if necessary, it's possible to perform it using KEA 3.10 and above. Yara-scan using the Command line Requirements: KEA 3.10 (and above) installed Files with Yara-rules (*.yara; *.yar) Scenario: Ensure that KEA is installed and running; Run the Yara-scan

svc_kms

svc_kms in How-to

How to gather sandbox-debug-report from terminal [KATA/KEDRE]

This article is fully applicable to KSB 2.0 server as well You may want to gather KATA Sandbox diagnostics via SSH, without accessing Web UI. Here's how to do it. Step-by-step guide Login to Sandbox via SSH and become root. Then, execute the command: Produce collect sb-logs --create '/tmp' '-7' chmod 777 /tmp/sandbox-debug-report*

svc_kms

svc_kms in How-to

How to purge inactive devices [KATA/KEDRE]

KATA doesn't have auto removal for inactive agents, and also it doesn't have support for VDI scenarios yet. So if you have many VDI clients in use, they will quickly fill up the license. Step-by-step guide KATA 3.7.2 You can set up cron task to remove clients periodically, for example, this code will remove clients older than 3 days sudo -u kluser psql antiapt -c "delete from agent_status where last_packet_ti

svc_kms

svc_kms in How-to

How to collect telemetry dump for load profile analysis [KATA/KEDRE]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Sometimes EDR agents generate more telemetry than anticipated. There's an option to tune telemetry collection via KEA bases, and in order to do it, telemetry profile, aka "topic-dump", is needed in ready-to-use format. In order to collect telemetry, do the following: Please do not run apt-sedr-reset before collecting topic dumps. Execute the following comma

svc_kms

svc_kms in How-to



×
×
  • Create New...