Issue
In KATA 4.1, when Central Node was used as Sensor, it was possible to access Traffic Capture and disable protocol, e.g SMTP.
CN-Sensor - https://support.kaspersky.com/help/KATA/4.1/en-US/199500.htm
Standalone Sensor - https://support.kaspersky.com/help/KATA/4.1/en-US/199500_1.htm
In KATA 5.0, this possibility is missing from docs and from CN and only available on Standalone Sensor:
Solution
Workaround is to use CLI and access pre
Sometimes one may need to enable transmitted traffic capturing in KATA (in example, for local testing of Suricata detections).
Here's how to do it.
Instructions for KATA 3.7.*
In file /etc/modprobe.d/pf_ring.conf set enable_tx_capture=1. File should look like this:
options pf_ring enable_tx_capture=1 min_num_slots=16384
Sometimes, you may want to have Kaspersky Endpoint Agent traces which start from its very cradle. This guide is applicable to local installation.
Step-by-step guide
Place the attached JSON file next to endpointagent.msi file. Feel free to modify patch to traces folder inside.
Install Endpoint Agent using GUI or command line:
msiexec /i endpointagent.msi /qn
Kaspersky Endpoint Agent, as many other products, has a few different ways of enabling traces.
Traces folder
NB! The folder specified for traces must exist and be writable. KEA will neither create folder nor display any error if it doesn't exist.
One may choose which is best suitable for their needs:
Traces with restart
In 99% cases, information that is written only during initialization, that is, after KEA restart, is critical for inves
You may not want to use all 3 or 4 (depends on settings at web set) VMs in KATA 4.1/5.0 SB. If one of the VM images is not installed, there will be SB self-diagnostics error at the KATA web-interface. Usually it's WinXP image that gets excluded.
This article is applicable only to KATA 4.1/5.0
Images names for 4.1:
CentOS7_x64, WinXP, Win7_x64, Win10_x64
Images names for 5.0:
Astra_x64, CentOS7_x64, WinXP, Win7_x64, Win10_x64
KATA
To create a Certificate Signing Request file using the openssl utility:
1. Prepare a file named sandbox.config with the following contents:
[req]
default_bits=2048
prompt=no
default_md=sha256
req_extensions=req_ext
distinguished_name=dn
[dn]
C=AE
ST=North
L=Dubai
O=ABC LAB
OU=IT Security
emailAddress=security@abc.lab
CN=katasb.abc.lab
[req_ext]
sub
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
We suggest free and lightweight client, part of Putty: pscp.
Step-by-step guide
You can download pscp.exe for Windows from official site.
Navigate to the folder with pscp.exe and start cmd or powershell there
To copy files to KATA, run the following command:
.\pscp.exe -scp <path to loc
1.1. Scenario:
KATA/EDR CN is deployed on site, and there are some remote users that cannot connect to the internal network, and you want to receive the EDR telemetry from those endpoints and laptops when they are outside the network (considering that you don't have any VPN functionality).
You don't want to expose the CN on the internet, so you'd like to use the sensor to relay the telemetry to the CN and have visibility on the endpoints.
1.2. Pre-requisites and configuration step
There is an example of a step-by-step instruction to configure Single-Sign-On (SSO) for KATA 4.1/5+/6+ into HOME.LAB domain.
Prerequisites
Deployed Central Node Server Name should be FQDN. (In current case FQDN name of Central Node - kata-cn.home.lab)
It can be checked via Settings/Network Settings of Central Node.
A and PTR record should be set for Central Node in DNS.
Domain User Account should be created to set up Kerberos authentication by means of keytab f
Problem
How to configure KEA exclusions required for KEA installed on AD controllers to prevent its slowdown and high hardware resources consumption.
Step-by-step guide
Add the following registry key to affected AD controller registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\SOYUZ\4.0\Environment]
"EnablePorts"=dword:00000001
"EnableSignatureLevel"=dword:00000001
"ServerProfile"=dword:0000000a
This operation should be done as Local System account (eit
Don't forget to install 6.0.1 and 6.0.2 patch, which fixes some bugs in ICAP integration.
Description and cautions
Since we have new ICAP working modes, presented in KATA 6.0 - https://support.kaspersky.ru/KATA/6.0/en-US/247269.htm , we would like to show you, how to configure such integration on example of squid proxy server.
Added ICAP integration with feedback. ICAP integration with feedback can work in two modes:
Standa
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Sometimes EDR agents generate more telemetry than anticipated. There's an option to tune telemetry collection via KEA bases, and in order to do it, telemetry profile, aka "topic-dump", is needed in ready-to-use format.
In order to collect telemetry, do the following:
Please do not run apt-sedr-reset before collecting topic dumps.
Execute the following comma
This article applies to Endpoint Agent for Linux. To collect LENA debug or ANY traces, please follow this guide.
Default traces location is '/var/log/kaspersky/epagent/'.
Default dumps location is '/tmp/agentdumps'
Public collect.sh script was updated to collect LENA-related information and gather these folder as well.
How to: enable LENA ANY traces
For KATA-EDR (on-premises) customers to tune LENA performance by exclusions, ANY level logs are required. To enable ANY log
Sometimes, you may need to check KSN servers availability and operation on KATA CN.
This method is not applicable to KATA 6.0. The tool is still present, but it returns error 0x80000001 (Interface not supported).
For KSN issues, there's a way to check specific hash for reputation:
Become root
sudo -i
Check specific hash for reputation by running the following command:
for KATA 4.+ and 5.0:
docker exec -it "$(do
Configuring KEA update task is of crucial importance. Updated KATA telemetry filters, exclusions and performance optimizations are delivered via bases. However, KEA has no transparent means to check bases version locally.
The solution to this demand is to check bases version locally via CLI.
KEA for Windows bases date
From Elevated Command Prompt, execute:
type "C:\ProgramData\Kaspersky Lab\En
Here's how to change web UI certificate for KATA SB.
Create backup of original files with same rights as it was before (you can check them with ll /etc/nginx/ssl command)
cp -p /etc/nginx/ssl/server.crt /etc/nginx/ssl/server.crt.orig
cp -p /etc/nginx/ssl/server.key /etc/nginx/ssl/server.key.orig
Rep
Problem
If you install standalone Kaspersky Endpoint Agent, both KSC installation package and local installer provide option to choose, which KEA components to install:
However, when KEA is installed in built-in scenario, bundled with KES or KSWS, you don't get to choose and KEA is installed in default configuration, with all the components.
There's a way to select installed KEA components even for built-in scenarios.
Using install_props.json for changing installed comp
Please use caution when following the steps.
This article is applicable to KATA 3.7.2 and KATA 4.0/4.1
In KATA 3.7, EDR stack is based on microservice architecture, it utilizes Docker Swarm. Containers have their own internal networking, which may cause issues in infrastructure, if the same networks are already used.
Docker uses 4 different networks:
Name
Subnet
br
Versions
Applicable to versions later than 5.0, 5.1, 6.0, 6.0.1, etc.
Problem
There are several cases where the standard method of changing interface network settings via the Web UI is not available, e.g. the Web UI is inaccessible.
Solution
Become root, save the nodes settings:
sudo su
console-settings-updater get /deploy/deployment_api/nodes | python3 -m json.
Description and cautions
One may need to change the admin account's password (the account used for SSH login).
KATA 5.0
For KATA 5.0 this article is not applicable. No option to change Local Administrator/ Cluster Administrator in pseudo-graphic menu available by default in 5.0 See https://forum.kaspersky.com/topic/how-to-reset-kata-web-administrator-password-in-kata-50-katakedre-36844/
Details
In case of standalone Central node:
Login to the web-i
Don't apply to PCN, it will lead to the disconnection of all SCNs attached and will not restore automatically
Problem Description
A PCN connection request got stuck in the "Waiting" status and doesn't result in failure. The reboot doesn't help. It can happen if, for example, a SCN IP was specified instead of PCN.
Solution
Run the following commands as root:
Don't apply to PCN, it will lead to the disconnection of all SCNs attached and will not restore automatically
Problem Description
A PCN connection request got stuck in the "Waiting" status and doesn't result in failure. The reboot doesn't help. It can happen if, for example, a SCN IP was specified instead of PCN.
Solution
Run the following commands as root:
Description and cautions
This is short article about how to burn KATA ISO on USB drive.
For KATA 4.0/4.1 you need 8Gb USD drive, for 5.0/5.1 - 16Gb at least.
3d party solutions are involved, therefore success is not guaranteed. Ventoy is more preferable working method.
Details
Download latest Rufus release or Ventoy, how to use Ventoy described here or Balena http:// https://etcher.balena.io/
[Rufus part] Open it and select respective KATA IS
Collect script output is a must for most KATA-related issues and questions.
Which information?
Which file?
How to find/interpret?
Example
КАТА version and role: CN/PCN/SCN/Sensor
/config/apt-va
File contains the version and role in human-readable form. Al
You may need to add a batch of prevention rules to KATA. To speed up the process, we have created a script sample.
Adding more than 1000 prevention rules will require additional PF to improve Web UI performance. Please contact technical support to get this PF.
Adding more than 5000 prevention rules is highly NOT recommended as it may result in drastic performance degradation on both CN and Endpoint Agent.
Step-by-step guide
Script sample. To run it, yo
