The article is applicable to KEA 3.x (any cf) as part of [KATA+]EDR solution.
1.1. Problem
Some hosts (usually server, eg. Windows Server 2012 R2) will not appear in CN dashboard after being configured using correct settings, including a valid TLS certificate. In the known case, such Endpoint Agents were configured locally using the command line, not via policy; however, we were able to verify that the same configuration led to successful connection on most hosts.
During trou
Sometimes, you may need to check KSN servers availability and operation on KATA CN.
This method is not applicable to KATA 6.0. The tool is still present, but it returns error 0x80000001 (Interface not supported).
For KSN issues, there's a way to check specific hash for reputation:
Become root
sudo -i
Check specific hash for reputation by running the following command:
for KATA 4.+ and 5.0:
docker exec -it "$(do
1.1. Scenario:
KATA/EDR CN is deployed on site, and there are some remote users that cannot connect to the internal network, and you want to receive the EDR telemetry from those endpoints and laptops when they are outside the network (considering that you don't have any VPN functionality).
You don't want to expose the CN on the internet, so you'd like to use the sensor to relay the telemetry to the CN and have visibility on the endpoints.
1.2. Pre-requisites and configuration step
The scenario is applicable for KEA version 3.10 and above.
There is no built-in feature to perform Yara-scan using KATA/EDR Expert 3.7.2. But if necessary, it's possible to perform it using KEA 3.10 and above.
Yara-scan using the Command line
Requirements:
KEA 3.10 (and above) installed
Files with Yara-rules (*.yara; *.yar)
Scenario:
Ensure that KEA is installed and running;
Run the Yara-scan
In EDR Security officer can create a hash-based prevention rule for workstation. Here's the list of activities to which prevention rules apply:
Agent should control and prevent read access of the following file formats by the following apps:
App:
winword.exe
wordpad.exe
excel.exe
You may need to add a batch of prevention rules to KATA. To speed up the process, we have created a script sample.
Adding more than 1000 prevention rules will require additional PF to improve Web UI performance. Please contact technical support to get this PF.
Adding more than 5000 prevention rules is highly NOT recommended as it may result in drastic performance degradation on both CN and Endpoint Agent.
Step-by-step guide
Script sample. To run it, yo
You may have purchased both the KATA and KWTS(Kaspersky Web Traffic Security) products. Since KWTS has built-in KATA integration, you may want to integrate KATA and KWTS.
Problems after integration
Shortly after integration you may notice that on KWTS side, there is an error about sending objects to KATA, and dashboards look similar to this:
Resolution
Prerequisite for successful integration with KWTS is KATA version 3.6.1.752 or higher.
KATA side
To
Second part of this article is also applicable to KSB 2.0, details about it below.
It's rather hard to understand if malware channel works on KATA Sandbox or not. Here's a simple and reliable way of doing it.
Step-by-step guide
Create a .bat script with commands that you would normally execute in console to check internet connection - like ping or tracert, - and redirect commands output to file. Here's the example of such script.
Upload this script to Storage and wa
There is an example of a step-by-step instruction to configure Single-Sign-On (SSO) for KATA 4.1/5+/6+ into HOME.LAB domain.
Prerequisites
Deployed Central Node Server Name should be FQDN. (In current case FQDN name of Central Node - kata-cn.home.lab)
It can be checked via Settings/Network Settings of Central Node.
A and PTR record should be set for Central Node in DNS.
Domain User Account should be created to set up Kerberos authentication by means of keytab f
Sometimes, KATA Sandbox may suddenly stop functioning normally and throw a self-diagnostic error. This may be caused by snapshots corruption: as one of the troubleshooting steps, you may remove the latest VM snapshots, this is harmless procedure.
Step-by-step guide
Login to Sandbox via SSH and execute the following command:
ls -l /vm/qemu/vms/
total 36
drwxr
Configuring KEA update task is of crucial importance. Updated KATA telemetry filters, exclusions and performance optimizations are delivered via bases. However, KEA has no transparent means to check bases version locally.
The solution to this demand is to check bases version locally via CLI.
KEA for Windows bases date
From Elevated Command Prompt, execute:
type "C:\ProgramData\Kaspersky Lab\En
This article is fully applicable to KSB 2.0 server as well
You may want to gather KATA Sandbox diagnostics via SSH, without accessing Web UI. Here's how to do it.
Step-by-step guide
Login to Sandbox via SSH and become root. Then, execute the command:
Produce collect
sb-logs --create '/tmp' '-7'
chmod 777 /tmp/sandbox-debug-report*
You may want to have full certificate chain for KATA Web UI. Here's how to do it.
Step-by-step guide
Preparing the certificate chain for use in nginx_gateway configuration
We start with full certificate chain in familiar form. Please note that certificate chain should contain desired intermediate authorities' public keys. Do not add private key to the chain.
First of all, we transfer it to the Central Node. It's recommended to do all further actions on Central Node, as in dif
Sometimes, you may want to have Kaspersky Endpoint Agent traces which start from its very cradle. This guide is applicable to local installation.
Step-by-step guide
Place the attached JSON file next to endpointagent.msi file. Feel free to modify patch to traces folder inside.
Install Endpoint Agent using GUI or command line:
msiexec /i endpointagent.msi /qn
This article provides additional details to the Online Help article.
Modern web servers use gzip compression for transferred web pages. Such compressed web pages should not be sent to KATA API as these files will create unnecessary load on Sandbox.
Content-Type - Optional parameter
objectType - must always be a file (other types are not supported)
content - object to send
scanId - ID of the object sent to KATA (must be unique)
sensorId - ID of the system sending
Problem Description, Symptoms & Impact
When downloading large collects (sandbox-debug-report) exceeding 1Gb in size, download suddenly fails above 1Gb (at ~1 05x xxx KB).
Diagnostics
Reproducible in all browsers, is not bound to download speed, dowloaded part size is roughly 1Gb
Workaround & Solution
Workaround: download sandbox-debug-report using SCP and CLI, see https://forum.kaspersky.com/topic/how-to-gather-sandbox-debug-report-from-terminal-katakedre-36851/
KATA Sandbox provides instruments to manage SB images, ISO files, and VM Slots number via CLI. For details, see below.
Slots
Sometimes, it is convenient to change a slot number via CLI. To do so, become a root user and run:
/opt/kaspersky/sandbox/bin/sandbox-slots-setup <number of slots>
Change slots number via CLI
# /opt/kaspersky/sandbox/bin/sandbox-slots-setup 12
In order to upgrade KATA from 3.7.2 to 4.0 > 4.1 > 5.0 > 5.1 > 6.0 please follow the manual below.
Step-by-step guide
Prior to PCN upgrade you have to disconnect all Sensors, SCNs and Sandboxes.
After upgrade Sandboxes and Sensors must be reinstalled, disconnected SCNs – upgrade to 4.0 and 4.1 and then reconnect them to PCN.
Upgrade order described here - https://support.kaspersky.com/KATA/4.0/en-US/198801.htm
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Sometimes EDR agents generate more telemetry than anticipated. There's an option to tune telemetry collection via KEA bases, and in order to do it, telemetry profile, aka "topic-dump", is needed in ready-to-use format.
In order to collect telemetry, do the following:
Please do not run apt-sedr-reset before collecting topic dumps.
Execute the following comma
This article is applicable to both KATA and Kaspersky Sandbox 1. It's not applicable to KSB2.
In certain cases (i.e. slow connection to Datacenter from Administrator workplace) it may be troublesome to upload VM images to fresh installed KATA Sandbox server. In such cases, you may prefer to transfer VM images to Sandbox via tools like WinSCP, and then install images via command line tools.
Step-by-step guide
Images should be transferred to Sandbox. Files should be located in /va
When creating an IoC scan task, only the following registry branches are scanned.
<field name="predefined_keypaths" type="wstring" multi-valued="yes" default-value=
'{
LR"(HKEY_CLASSES_ROOT\htafile)",
LR"(HKEY_CLASSES_ROOT\batfile)",
LR"(HKEY_CLASSES_ROOT\exefile)",
LR"(HKEY_CLASSES_ROOT\comfile)",
LR"(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa)",
Most of the time KEA core patches are cumulative and it is sufficient to install the newer one on top of the previous in order to fix new issues.
However, sometimes, for troubleshooting purposes or otherwise, you would need to remove an existing patch. This is how it's done.
Step-by-step guide
In the Administration Console, go to Advanced → Remote installation → Installation packages;
In the right frame, click Create installation package;
Select Create installatio
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
OS restart will be requested If you upgrading KEA above 3.11 version.
About
This article contains the best way of upgrading KEA 3.9 to the last KEA version avoiding possible known issues.
Procedure
Disable Password-protection and Self-Defense in KEA policy, lock the settings. Ensure that policy is applied on all devices.
Upgrade KEA plug-in on the KSC side. Recreate
Problem
If you install standalone Kaspersky Endpoint Agent, both KSC installation package and local installer provide option to choose, which KEA components to install:
However, when KEA is installed in built-in scenario, bundled with KES or KSWS, you don't get to choose and KEA is installed in default configuration, with all the components.
There's a way to select installed KEA components even for built-in scenarios.
Using install_props.json for changing installed comp
This works an all KATA CN versions from 3.6.1 to 5.1
You can execute the queries below with Curl to get the text representation of agent status. SSO login and password must be used, limit of 200 entries is used in the example query.
JSONs with agent status
curl -s --output /dev/null -c ./cookie -k -X POST -H 'Content-Type: application/json' -d '{"username":"SSO","password":"MYPASSWORD","local":false
