In order to upgrade KATA from 3.7.2 to 4.0 > 4.1 > 5.0 > 5.1 > 6.0 please follow the manual below.
Step-by-step guide
Prior to PCN upgrade you have to disconnect all Sensors, SCNs and Sandboxes.
After upgrade Sandboxes and Sensors must be reinstalled, disconnected SCNs – upgrade to 4.0 and 4.1 and then reconnect them to PCN.
Upgrade order described here - https://support.kaspersky.com/KATA/4.0/en-US/198801.htm
Second part of this article is also applicable to KSB 2.0, details about it below.
It's rather hard to understand if malware channel works on KATA Sandbox or not. Here's a simple and reliable way of doing it.
Step-by-step guide
Create a .bat script with commands that you would normally execute in console to check internet connection - like ping or tracert, - and redirect commands output to file. Here's the example of such script.
Upload this script to Storage and wa
This article provides additional details to the Online Help article.
Modern web servers use gzip compression for transferred web pages. Such compressed web pages should not be sent to KATA API as these files will create unnecessary load on Sandbox.
Content-Type - Optional parameter
objectType - must always be a file (other types are not supported)
content - object to send
scanId - ID of the object sent to KATA (must be unique)
sensorId - ID of the system sending
Problem
No option to change Local Administrator/Cluster Administrator in pseudo-graphic menu available by default .
Solution
a) Upgrade to 5.1
b) Follow steps:
Download an archive with WHL packets.
Upload it to KATA CN to /tmp/change_password.zip
Extract (we have no unzip shipped by default):
echo -e "import zipfile\nwith zipfile.ZipFile('/tmp/change_p
KATA / EDR is using only one certificate for all connections (like WebServer and Client Connections). When you plan to replace it, do it in an early stage of deployment.
If you want to replace the TLS certificate, you will need to:
Reauthorize mail sensors (KSMG, KLMS) on Central Node.
Reconfigure connection of Central Node, PCN and SCN to Sandbox.
Reconfigure Endpoint Agent traffic redirection to Sensor and trusted connection with Endpoint Agent.
Upload a new c
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Problem
You may use images with installed KEA that are distributed to multiple devices, or some hardware vendors (ACER) do not comply with standards and sell hardware with non-unique BIOS IDs, etc.
As a result, a telemetry from different agents may end up merged into a single record.
Symptoms
Certain hostnames are present in KATA alerts, but search returns 0 events. Mo
Sometimes, KATA Sandbox may suddenly stop functioning normally and throw a self-diagnostic error. This may be caused by snapshots corruption: as one of the troubleshooting steps, you may remove the latest VM snapshots, this is harmless procedure.
Step-by-step guide
Login to Sandbox via SSH and execute the following command:
ls -l /vm/qemu/vms/
total 36
drwxr
Description and cautions
KSN connection error on KATA web may appear.
Details
It could be fixed unless you don't have permanent KSN errors, you have to check it in ksn_proxy.log DEBUG level. Key word is ErrCount. If you don't see Errcount: 0 in log, then you don't have access to our KSN servers which are:
*.ksn.kaspersky-labs.com
ksn-*.kaspersky-labs.com
ds.kaspersky.com
2. In order to fix this web error do as below
For KATA 4.0/4.1
Most of the time KEA core patches are cumulative and it is sufficient to install the newer one on top of the previous in order to fix new issues.
However, sometimes, for troubleshooting purposes or otherwise, you would need to remove an existing patch. This is how it's done.
Step-by-step guide
In the Administration Console, go to Advanced → Remote installation → Installation packages;
In the right frame, click Create installation package;
Select Create installatio
KATA doesn't have auto removal for inactive agents, and also it doesn't have support for VDI scenarios yet.
So if you have many VDI clients in use, they will quickly fill up the license.
Step-by-step guide
KATA 3.7.2
You can set up cron task to remove clients periodically, for example, this code will remove clients older than 3 days
sudo -u kluser psql antiapt -c "delete from agent_status where last_packet_ti
The scenario is applicable for KEA version 3.10 and above.
There is no built-in feature to perform Yara-scan using KATA/EDR Expert 3.7.2. But if necessary, it's possible to perform it using KEA 3.10 and above.
Yara-scan using the Command line
Requirements:
KEA 3.10 (and above) installed
Files with Yara-rules (*.yara; *.yar)
Scenario:
Ensure that KEA is installed and running;
Run the Yara-scan
Problem
In previous versions of KATA it was possible to mount an NFS share to copy backups to. In KATA 5.x only CIFS share mounts are available out-of the box.
Error
root@1.srv.node1.node.dyn.kata:/home/admin# mount -t nfs 10.225.62.41:/mnt/NFS/KXDR /mnt/nfs
mount: /mnt/nfs: bad option; for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount.<type> helper program.
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
How to monitor KATA system health such as CPU, HDD, Memory usage, services status and etc? How to output this information?
Locally, monitoring product operation and component health can be done in KATA dashboard. CPU, memory or similar metrics can be viewed using built-in Linux tools in support mode. Available remote monitoring options are:
Using SNMP
Hearbeats in SIEM integration
You may want to obtain list of EDR agents ever connected to KATA.
Step-by-step guide
KATA 3.7+
Connect to Central Node via ssh, choose Technical support mode, become root:
$ sudo -i
Execute command:
sudo -u p
KATA Sandbox provides instruments to manage SB images, ISO files, and VM Slots number via CLI. For details, see below.
Slots
Sometimes, it is convenient to change a slot number via CLI. To do so, become a root user and run:
/opt/kaspersky/sandbox/bin/sandbox-slots-setup <number of slots>
Change slots number via CLI
# /opt/kaspersky/sandbox/bin/sandbox-slots-setup 12
Scenario:
KATA/EDR CN is integrated with the KPSN server, and you want to enrich the KPSN reputation database with the detections from the sandbox server. You can integrate a KATA Platform Central node with the KPSN reputation database and automatically populate it with information about the files that the sandbox technology finds to be dangerous and highly important.
Pre-requisites:
To configure sending checksums of the files detected by the sandbox technology to KPSN, you will n
You may have purchased both the KATA and KWTS(Kaspersky Web Traffic Security) products. Since KWTS has built-in KATA integration, you may want to integrate KATA and KWTS.
Problems after integration
Shortly after integration you may notice that on KWTS side, there is an error about sending objects to KATA, and dashboards look similar to this:
Resolution
Prerequisite for successful integration with KWTS is KATA version 3.6.1.752 or higher.
KATA side
To
This article is applicable to both KATA and Kaspersky Sandbox 1. It's not applicable to KSB2.
In certain cases (i.e. slow connection to Datacenter from Administrator workplace) it may be troublesome to upload VM images to fresh installed KATA Sandbox server. In such cases, you may prefer to transfer VM images to Sandbox via tools like WinSCP, and then install images via command line tools.
Step-by-step guide
Images should be transferred to Sandbox. Files should be located in /va
As the first step of troubleshooting of KEA, we recommend installing the latest core patch.
However, sometimes such installation will fail. There are two popular causes of this:
EULA is not accepted;
KEA installation is protected with a password.
This guide addresses both of these issues.
# in Password Symbol
Due to limitations in KSC, when creating a custom package for remote deployment in KSC, or editing package configuration file (.kpd) directly,
Description
Here's how to install KATA 6.0 Ubuntu edition in KVM environment - https://support.kaspersky.ru/KATA/6.0/en-US/265697.htm
In the example below we use RHEL 9.3, installed as VM in VMware Workstation Pro 17.0
Step-by-step guide
First, you have to install QEMU/KVM , all steps are described HERE
Then install from Software application Virtual Machine Manager, here it's 4.1.0 version.
After successful installation just op
This works an all KATA CN versions from 3.6.1 to 5.1
You can execute the queries below with Curl to get the text representation of agent status. SSO login and password must be used, limit of 200 entries is used in the example query.
JSONs with agent status
curl -s --output /dev/null -c ./cookie -k -X POST -H 'Content-Type: application/json' -d '{"username":"SSO","password":"MYPASSWORD","local":false
This article is fully applicable to KSB 2.0 server as well
You may want to gather KATA Sandbox diagnostics via SSH, without accessing Web UI. Here's how to do it.
Step-by-step guide
Login to Sandbox via SSH and become root. Then, execute the command:
Produce collect
sb-logs --create '/tmp' '-7'
chmod 777 /tmp/sandbox-debug-report*
For KATA 3.7.2
You can force run Sandbox Healthcheck instead of waiting for 30 minutes' timeout.
Step-by-step guide
Log into Sandbox Server via ssh.
To run checker, first you need to delete /var/tmp/sbtest file:
rm /var/tmp/sbtest
Then run checker and wait until it finishes:
Description and cautions
This article may be useful in certain cases, when you see that virtual machines running on the KATA Sandbox can not access internet using the properly configured malware interface. One can notice the issue based on several symptoms, such as VM activation errors, samples sent to Sandbox for processing not accessing internet, etc... We recommend to use the following article to check if the malware channel works properly on the KATA Sandbox server or not:
https://
Security officers may need raw alerts data from KATA for further processing in Excel/etc.
Here's how to export all alerts from KATA database to .csv file:
KATA 3.7.2
sudo -u postgres bash -c "psql -d antiapt -c \"COPY (SELECT * FROM all_alerts) TO '/tmp/kata_alerts.csv' (format csv, delimiter ';', header, encoding 'UTF8');\""
Instead of simply copying all alerts
