Please use caution when following the steps.
This article is applicable to KATA 3.7.2 and KATA 4.0/4.1
In KATA 3.7, EDR stack is based on microservice architecture, it utilizes Docker Swarm. Containers have their own internal networking, which may cause issues in infrastructure, if the same networks are already used.
Docker uses 4 different networks:
Name
Subnet
br
Sometimes one may need to enable transmitted traffic capturing in KATA (in example, for local testing of Suricata detections).
Here's how to do it.
Instructions for KATA 3.7.*
In file /etc/modprobe.d/pf_ring.conf set enable_tx_capture=1. File should look like this:
options pf_ring enable_tx_capture=1 min_num_slots=16384
KATA / EDR is using only one certificate for all connections (like WebServer and Client Connections). When you plan to replace it, do it in an early stage of deployment.
If you want to replace the TLS certificate, you will need to:
Reauthorize mail sensors (KSMG, KLMS) on Central Node.
Reconfigure connection of Central Node, PCN and SCN to Sandbox.
Reconfigure Endpoint Agent traffic redirection to Sensor and trusted connection with Endpoint Agent.
Upload a new c
This article applies to Endpoint Agent for Linux. To collect LENA debug or ANY traces, please follow this guide.
Default traces location is '/var/log/kaspersky/epagent/'.
Default dumps location is '/tmp/agentdumps'
Public collect.sh script was updated to collect LENA-related information and gather these folder as well.
How to: enable LENA ANY traces
For KATA-EDR (on-premises) customers to tune LENA performance by exclusions, ANY level logs are required. To enable ANY log
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
We suggest free and lightweight client, part of Putty: pscp.
Step-by-step guide
You can download pscp.exe for Windows from official site.
Navigate to the folder with pscp.exe and start cmd or powershell there
To copy files to KATA, run the following command:
.\pscp.exe -scp <path to loc
KATA doesn't have auto removal for inactive agents, and also it doesn't have support for VDI scenarios yet.
So if you have many VDI clients in use, they will quickly fill up the license.
Step-by-step guide
KATA 3.7.2
You can set up cron task to remove clients periodically, for example, this code will remove clients older than 3 days
sudo -u kluser psql antiapt -c "delete from agent_status where last_packet_ti
