Kaspersky Endpoint Agent, as many other products, has a few different ways of enabling traces.
Traces folder
NB! The folder specified for traces must exist and be writable. KEA will neither create folder nor display any error if it doesn't exist.
One may choose which is best suitable for their needs:
Traces with restart
In 99% cases, information that is written only during initialization, that is, after KEA restart, is critical for inves
Scenario:
KATA/EDR CN is integrated with the KPSN server, and you want to enrich the KPSN reputation database with the detections from the sandbox server. You can integrate a KATA Platform Central node with the KPSN reputation database and automatically populate it with information about the files that the sandbox technology finds to be dangerous and highly important.
Pre-requisites:
To configure sending checksums of the files detected by the sandbox technology to KPSN, you will n
Problem
How to configure KEA exclusions required for KEA installed on AD controllers to prevent its slowdown and high hardware resources consumption.
Step-by-step guide
Add the following registry key to affected AD controller registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\SOYUZ\4.0\Environment]
"EnablePorts"=dword:00000001
"EnableSignatureLevel"=dword:00000001
"ServerProfile"=dword:0000000a
This operation should be done as Local System account (eit
Don't apply to PCN, it will lead to the disconnection of all SCNs attached and will not restore automatically
Problem Description
A PCN connection request got stuck in the "Waiting" status and doesn't result in failure. The reboot doesn't help. It can happen if, for example, a SCN IP was specified instead of PCN.
Solution
Run the following commands as root:
Problem
No option to change Local Administrator/Cluster Administrator in pseudo-graphic menu available by default .
Solution
a) Upgrade to 5.1
b) Follow steps:
Download an archive with WHL packets.
Upload it to KATA CN to /tmp/change_password.zip
Extract (we have no unzip shipped by default):
echo -e "import zipfile\nwith zipfile.ZipFile('/tmp/change_p
You may need to add a batch of prevention rules to KATA. To speed up the process, we have created a script sample.
Adding more than 1000 prevention rules will require additional PF to improve Web UI performance. Please contact technical support to get this PF.
Adding more than 5000 prevention rules is highly NOT recommended as it may result in drastic performance degradation on both CN and Endpoint Agent.
Step-by-step guide
Script sample. To run it, yo
This article provides additional details to the Online Help article.
Modern web servers use gzip compression for transferred web pages. Such compressed web pages should not be sent to KATA API as these files will create unnecessary load on Sandbox.
Content-Type - Optional parameter
objectType - must always be a file (other types are not supported)
content - object to send
scanId - ID of the object sent to KATA (must be unique)
sensorId - ID of the system sending
Most of the time KEA core patches are cumulative and it is sufficient to install the newer one on top of the previous in order to fix new issues.
However, sometimes, for troubleshooting purposes or otherwise, you would need to remove an existing patch. This is how it's done.
Step-by-step guide
In the Administration Console, go to Advanced → Remote installation → Installation packages;
In the right frame, click Create installation package;
Select Create installatio
Sometimes, you may need to check KSN servers availability and operation on KATA CN.
This method is not applicable to KATA 6.0. The tool is still present, but it returns error 0x80000001 (Interface not supported).
For KSN issues, there's a way to check specific hash for reputation:
Become root
sudo -i
Check specific hash for reputation by running the following command:
for KATA 4.+ and 5.0:
docker exec -it "$(do
Don't apply to PCN, it will lead to the disconnection of all SCNs attached and will not restore automatically
Problem Description
A PCN connection request got stuck in the "Waiting" status and doesn't result in failure. The reboot doesn't help. It can happen if, for example, a SCN IP was specified instead of PCN.
Solution
Run the following commands as root:
Sometimes, KATA Sandbox may suddenly stop functioning normally and throw a self-diagnostic error. This may be caused by snapshots corruption: as one of the troubleshooting steps, you may remove the latest VM snapshots, this is harmless procedure.
Step-by-step guide
Login to Sandbox via SSH and execute the following command:
ls -l /vm/qemu/vms/
total 36
drwxr
This article is applicable to both KATA and Kaspersky Sandbox 1. It's not applicable to KSB2.
In certain cases (i.e. slow connection to Datacenter from Administrator workplace) it may be troublesome to upload VM images to fresh installed KATA Sandbox server. In such cases, you may prefer to transfer VM images to Sandbox via tools like WinSCP, and then install images via command line tools.
Step-by-step guide
Images should be transferred to Sandbox. Files should be located in /va
There is an example of a step-by-step instruction to configure Single-Sign-On (SSO) for KATA 4.1/5+/6+ into HOME.LAB domain.
Prerequisites
Deployed Central Node Server Name should be FQDN. (In current case FQDN name of Central Node - kata-cn.home.lab)
It can be checked via Settings/Network Settings of Central Node.
A and PTR record should be set for Central Node in DNS.
Domain User Account should be created to set up Kerberos authentication by means of keytab f
Problem
If you install standalone Kaspersky Endpoint Agent, both KSC installation package and local installer provide option to choose, which KEA components to install:
However, when KEA is installed in built-in scenario, bundled with KES or KSWS, you don't get to choose and KEA is installed in default configuration, with all the components.
There's a way to select installed KEA components even for built-in scenarios.
Using install_props.json for changing installed comp
For KATA 3.7.2
You can force run Sandbox Healthcheck instead of waiting for 30 minutes' timeout.
Step-by-step guide
Log into Sandbox Server via ssh.
To run checker, first you need to delete /var/tmp/sbtest file:
rm /var/tmp/sbtest
Then run checker and wait until it finishes:
Step-by-step guide
KATA 3.7.2
Connect to central node/sensor node which processing SPAN traffic via ssh;
Proceed to Technical support mode;
Become root with command:
Turn on wrapCopy as text
# sudo -i
Create file /etc/suricata/capture-filter.bpf with line containing traffic filtering conditions (syntax is the same as in tcpdump conditions), below you can see filter for example:
Exa
Sometimes, you may want to have Kaspersky Endpoint Agent traces which start from its very cradle. This guide is applicable to local installation.
Step-by-step guide
Place the attached JSON file next to endpointagent.msi file. Feel free to modify patch to traces folder inside.
Install Endpoint Agent using GUI or command line:
msiexec /i endpointagent.msi /qn
You may have purchased both the KATA and KWTS(Kaspersky Web Traffic Security) products. Since KWTS has built-in KATA integration, you may want to integrate KATA and KWTS.
Problems after integration
Shortly after integration you may notice that on KWTS side, there is an error about sending objects to KATA, and dashboards look similar to this:
Resolution
Prerequisite for successful integration with KWTS is KATA version 3.6.1.752 or higher.
KATA side
To
Security officers may need raw alerts data from KATA for further processing in Excel/etc.
Here's how to export all alerts from KATA database to .csv file:
KATA 3.7.2
sudo -u postgres bash -c "psql -d antiapt -c \"COPY (SELECT * FROM all_alerts) TO '/tmp/kata_alerts.csv' (format csv, delimiter ';', header, encoding 'UTF8');\""
Instead of simply copying all alerts
You may not want to use all 3 or 4 (depends on settings at web set) VMs in KATA 4.1/5.0 SB. If one of the VM images is not installed, there will be SB self-diagnostics error at the KATA web-interface. Usually it's WinXP image that gets excluded.
This article is applicable only to KATA 4.1/5.0
Images names for 4.1:
CentOS7_x64, WinXP, Win7_x64, Win10_x64
Images names for 5.0:
Astra_x64, CentOS7_x64, WinXP, Win7_x64, Win10_x64
KATA
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Sometimes EDR agents generate more telemetry than anticipated. There's an option to tune telemetry collection via KEA bases, and in order to do it, telemetry profile, aka "topic-dump", is needed in ready-to-use format.
In order to collect telemetry, do the following:
Please do not run apt-sedr-reset before collecting topic dumps.
Execute the following comma
How to upgrade previously installed password protected KEA using KSC remote installation task.
Step-by-step guide
Edit attached file install_props.json, put there your password for already installed KEA;
Put this file to folder on KSC containing files for creation of remote installation package for new KEA version as per screenshots below;
Create on KSC package for remote installation;
Start remote installation task on KSC.
Configuring KEA update task is of crucial importance. Updated KATA telemetry filters, exclusions and performance optimizations are delivered via bases. However, KEA has no transparent means to check bases version locally.
The solution to this demand is to check bases version locally via CLI.
KEA for Windows bases date
From Elevated Command Prompt, execute:
type "C:\ProgramData\Kaspersky Lab\En
You may want to obtain list of EDR agents ever connected to KATA.
Step-by-step guide
KATA 3.7+
Connect to Central Node via ssh, choose Technical support mode, become root:
$ sudo -i
Execute command:
sudo -u p
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
How to monitor KATA system health such as CPU, HDD, Memory usage, services status and etc? How to output this information?
Locally, monitoring product operation and component health can be done in KATA dashboard. CPU, memory or similar metrics can be viewed using built-in Linux tools in support mode. Available remote monitoring options are:
Using SNMP
Hearbeats in SIEM integration
