Jump to content

About this blog

Entries in this blog

KEA on Exchange servers [Kaspersky Endpoint Agent]

This article applies to KEA 3.10+ Problem You need to install KEA on a host running MS Exhange 2013, 2016, 2019 server, and ensure compatibilty. Solution Add the following values into registry (should be done with "Local System" rights): [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\SOYUZ\4.0\Environment] "EnablePorts"=dword:0000

svc_kms

svc_kms in Known Problem

YARA modules available on KATA CN [KATA/KEDRE]

If you are writing your own rules for YARA engine on Central Node, you may need available modules in YARA and engine version. Engine version is 3.7-3.11 in KATA 3.7.x Engine version is 4.10 in KATA 4.1 and KATA 5.0 Here's the list of modules: tests pe elf math time pe_utils magic hash dotnet dex For more info on modules, please refer to YARA documentation.

svc_kms

svc_kms in Known Problem

How to configure KEA exclusions required for KEA on AD controllers [Kaspersky Endpoint Agent]

Problem How to configure KEA exclusions required for KEA installed on AD controllers to prevent its slowdown and high hardware resources consumption. Step-by-step guide Add the following registry key to affected AD controller registry: [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\SOYUZ\4.0\Environment] "EnablePorts"=dword:00000001 "EnableSignatureLevel"=dword:00000001 "ServerProfile"=dword:0000000a This operation should be done as Local System account (eit

svc_kms

svc_kms in How-to

How to upgrade password protected KEA with KSC task [Kaspersky Endpoint Agent]

How to upgrade previously installed password protected KEA using KSC remote installation task. Step-by-step guide Edit attached file install_props.json, put there your password for already installed KEA; Put this file to folder on KSC containing files for creation of remote installation package for new KEA version as per screenshots below; Create on KSC package for remote installation; Start remote installation task on KSC.

svc_kms

svc_kms in How-to

How to remotely uninstall KEA Core Patches through KSC [Kaspersky Endpoint Agent]

Most of the time KEA core patches are cumulative and it is sufficient to install the newer one on top of the previous in order to fix new issues. However, sometimes, for troubleshooting purposes or otherwise, you would need to remove an existing patch. This is how it's done. Step-by-step guide In the Administration Console, go to Advanced → Remote installation → Installation packages; In the right frame, click Create installation package; Select Create installatio

svc_kms

svc_kms in How-to

How to install patches on password-protected KEA [Kaspersky Endpoint Agent]

As the first step of troubleshooting of KEA, we recommend installing the latest core patch. However, sometimes such installation will fail. There are two popular causes of this: EULA is not accepted; KEA installation is protected with a password. This guide addresses both of these issues. # in Password Symbol Due to limitations in KSC, when creating a custom package for remote deployment in KSC, or editing package configuration file (.kpd) directly,

svc_kms

svc_kms in How-to

How to: Filter KATA IDS traffic

Step-by-step guide KATA 3.7.2 Connect to central node/sensor node which processing SPAN traffic via ssh; Proceed to Technical support mode; Become root with command: Turn on wrapCopy as text # sudo -i Create file /etc/suricata/capture-filter.bpf with line containing traffic filtering conditions (syntax is the same as in tcpdump conditions), below you can see filter for example:   Exa

svc_kms

svc_kms in How-to

How to enable TX capturing in KATA [KATA/KEDRE]

Sometimes one may need to enable transmitted traffic capturing in KATA (in example, for local testing of Suricata detections). Here's how to do it. Instructions for KATA 3.7.* In file /etc/modprobe.d/pf_ring.conf set enable_tx_capture=1. File should look like this: options pf_ring enable_tx_capture=1 min_num_slots=16384

svc_kms

svc_kms in How-to

How to collect LENA troubleshooting information [Kaspersky Endpoint Agent for Linux]

This article applies to Endpoint Agent for Linux. To collect LENA debug or ANY traces, please follow this guide. Default traces location is '/var/log/kaspersky/epagent/'. Default dumps location is '/tmp/agentdumps' Public collect.sh script was updated to collect LENA-related information and gather these folder as well. How to: enable LENA ANY traces For KATA-EDR (on-premises) customers to tune LENA performance by exclusions, ANY level logs are required. To enable ANY log

svc_kms

svc_kms in How-to

KEA core patches [Kaspersky Endpoint Agent]

Problem You may encounter issues with KEA that may include: Excessive resource consumption Freezes, crashes etc. Solution Install the latest available core patch. Adding KEA CF to KEA installation package is not supported and will not work, patches need to be installed separately. To install patch using KSC or locally use the following keys, /qn can be added for silent install as usual How to install patch

svc_kms

svc_kms in Known Problem

How to enable KEA traces and dumps: all the options [Kaspersky Endpoint Agent]

Kaspersky Endpoint Agent, as many other products, has a few different ways of enabling traces. Traces folder NB! The folder specified for traces must exist and be writable. KEA will neither create folder nor display any error if it doesn't exist. One may choose which is best suitable for their needs: Traces with restart In 99% cases, information that is written only during initialization, that is, after KEA restart, is critical for inves

svc_kms

svc_kms in How-to

How to replace pinned TLS Certificate [KATA/KEDRE]

KATA / EDR is using only one certificate for all connections (like WebServer and Client Connections). When you plan to replace it, do it in an early stage of deployment. If you want to replace the TLS certificate, you will need to: Reauthorize mail sensors (KSMG, KLMS) on Central Node. Reconfigure connection of Central Node, PCN and SCN to Sandbox. Reconfigure Endpoint Agent traffic redirection to Sensor and trusted connection with Endpoint Agent. Upload a new c

svc_kms

svc_kms in How-to

How to change installed components for built-in KEA [Kaspersky Endpoint Agent]

Problem If you install standalone Kaspersky Endpoint Agent, both KSC installation package and local installer provide option to choose, which KEA components to install: However, when KEA is installed in built-in scenario, bundled with KES or KSWS, you don't get to choose and KEA is installed in default configuration, with all the components. There's a way to select installed KEA components even for built-in scenarios. Using install_props.json for changing installed comp

svc_kms

svc_kms in How-to

How to add/export multiple prevention rules to KATA/EDR [KATA/KEDRE]

You may need to add a batch of prevention rules to KATA. To speed up the process, we have created a script sample. Adding more than 1000 prevention rules will require additional PF to improve Web UI performance. Please contact technical support to get this PF. Adding more than 5000 prevention rules is highly NOT recommended as it may result in drastic performance degradation on both CN and Endpoint Agent. Step-by-step guide Script sample. To run it, yo

svc_kms

svc_kms in How-to

How to integrate KATA and KWTS [KATA/KEDRE]

You may have purchased both the KATA and KWTS(Kaspersky Web Traffic Security) products. Since KWTS has built-in KATA integration, you may want to integrate KATA and KWTS. Problems after integration Shortly after integration you may notice that on KWTS side, there is an error about sending objects to KATA, and dashboards look similar to this: Resolution Prerequisite for successful integration with KWTS is KATA version 3.6.1.752 or higher. KATA side To

svc_kms

svc_kms in How-to

How to change Docker network settings in KATA [KATA/KEDRE]

Please use caution when following the steps. This article is applicable to KATA 3.7.2 and KATA 4.0/4.1 In KATA 3.7, EDR stack is based on microservice architecture, it utilizes Docker Swarm. Containers have their own internal networking, which may cause issues in infrastructure, if the same networks are already used. Docker uses 4 different networks: Name Subnet br

svc_kms

svc_kms in How-to

How to enable KEA traces from installation [Kaspersky Endpoint Agent]

Sometimes, you may want to have Kaspersky Endpoint Agent traces which start from its very cradle. This guide is applicable to local installation. Step-by-step guide Place the attached JSON file next to endpointagent.msi file. Feel free to modify patch to traces folder inside. Install Endpoint Agent using GUI or command line: msiexec /i endpointagent.msi /qn

svc_kms

svc_kms in How-to

How to copy files to/from KATA [KATA/KEDRE]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. We suggest free and lightweight client, part of Putty: pscp. Step-by-step guide You can download pscp.exe for Windows from official site. Navigate to the folder with pscp.exe and start cmd or powershell there To copy files to KATA, run the following command: .\pscp.exe -scp <path to loc

svc_kms

svc_kms in How-to

How to remove VM snapshots from KATA Sandbox [KATA/KEDRE]

Sometimes, KATA Sandbox may suddenly stop functioning normally and throw a self-diagnostic error. This may be caused by snapshots corruption: as one of the troubleshooting steps, you may remove the latest VM snapshots, this is harmless procedure. Step-by-step guide Login to Sandbox via SSH and execute the following command: ls -l /vm/qemu/vms/ total 36 drwxr

svc_kms

svc_kms in How-to

How to export alerts from KATA to CSV [KATA/KEDRE]

Security officers may need raw alerts data from KATA for further processing in Excel/etc. Here's how to export all alerts from KATA database to .csv file: KATA 3.7.2 sudo -u postgres bash -c "psql -d antiapt -c \"COPY (SELECT * FROM all_alerts) TO '/tmp/kata_alerts.csv' (format csv, delimiter ';', header, encoding 'UTF8');\"" Instead of simply copying all alerts

svc_kms

svc_kms in How-to

How to check KSN availability on KATA CN [KATA/KEDRE]

Sometimes, you may need to check KSN servers availability and operation on KATA CN. This method is not applicable to KATA 6.0. The tool is still present, but it returns error 0x80000001 (Interface not supported). For KSN issues, there's a way to check specific hash for reputation: Become root  sudo -i Check specific hash for reputation by running the following command: for KATA 4.+ and 5.0: docker exec -it "$(do

svc_kms

svc_kms in How-to

How to force KATA Sandbox selfcheck [KATA/KEDRE]

For KATA 3.7.2 You can force run Sandbox Healthcheck instead of waiting for 30 minutes' timeout.  Step-by-step guide Log into Sandbox Server via ssh. To run checker, first you need to delete /var/tmp/sbtest file: rm /var/tmp/sbtest Then run checker and wait until it finishes:

svc_kms

svc_kms in How-to

How to install Sandbox VM images from command line [KATA/KEDRE]

This article is applicable to both KATA and Kaspersky Sandbox 1. It's not applicable to KSB2. In certain cases (i.e. slow connection to Datacenter from Administrator workplace) it may be troublesome to upload VM images to fresh installed KATA Sandbox server. In such cases, you may prefer to transfer VM images to Sandbox via tools like WinSCP, and then install images via command line tools. Step-by-step guide  Images should be transferred to Sandbox. Files should be located in /va

svc_kms

svc_kms in How-to



×
×
  • Create New...