Sometimes, you may want to have Kaspersky Endpoint Agent traces which start from its very cradle. This guide is applicable to local installation.
Step-by-step guide
Place the attached JSON file next to endpointagent.msi file. Feel free to modify patch to traces folder inside.
Install Endpoint Agent using GUI or command line:
msiexec /i endpointagent.msi /qn
You may have purchased both the KATA and KWTS(Kaspersky Web Traffic Security) products. Since KWTS has built-in KATA integration, you may want to integrate KATA and KWTS.
Problems after integration
Shortly after integration you may notice that on KWTS side, there is an error about sending objects to KATA, and dashboards look similar to this:
Resolution
Prerequisite for successful integration with KWTS is KATA version 3.6.1.752 or higher.
KATA side
To
Problem
Some users may face a rather unclear and not self-explanatory error when attempting to remotely install KEA for Linux:
Remote installation has been completed with an error on this device: Installation error Error in PREIN scriptlet in rpm package epagent
Error: Transaction failed
Solution
You may not want to use all 3 or 4 (depends on settings at web set) VMs in KATA 4.1/5.0 SB. If one of the VM images is not installed, there will be SB self-diagnostics error at the KATA web-interface. Usually it's WinXP image that gets excluded.
This article is applicable only to KATA 4.1/5.0
Images names for 4.1:
CentOS7_x64, WinXP, Win7_x64, Win10_x64
Images names for 5.0:
Astra_x64, CentOS7_x64, WinXP, Win7_x64, Win10_x64
KATA
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Sometimes EDR agents generate more telemetry than anticipated. There's an option to tune telemetry collection via KEA bases, and in order to do it, telemetry profile, aka "topic-dump", is needed in ready-to-use format.
In order to collect telemetry, do the following:
Please do not run apt-sedr-reset before collecting topic dumps.
Execute the following comma
You may want to obtain list of EDR agents ever connected to KATA.
Step-by-step guide
KATA 3.7+
Connect to Central Node via ssh, choose Technical support mode, become root:
$ sudo -i
Execute command:
sudo -u p
How to upgrade previously installed password protected KEA using KSC remote installation task.
Step-by-step guide
Edit attached file install_props.json, put there your password for already installed KEA;
Put this file to folder on KSC containing files for creation of remote installation package for new KEA version as per screenshots below;
Create on KSC package for remote installation;
Start remote installation task on KSC.
KATA 4.0/4.1 is compatible with KSMG 2.0, KSMG 1 and KLMS 8.0.3.
Second thing to notice is that KSMG integration has a few bugs on KATA side. Thankfully, all known issues are fixed in a PF, which is recommended for all who integrate KSMG/KLMS and KATA4.
KATA4.0
Step-by-step guide
Download container with fix.
file_name : kata_scanner_35f8753e6d.tar.gz
md5 : 2adb09c0bd13dfc03c6a5c8980dde4ff
container_name: kata_scanner
container_version: kata_scanner:35f8753e6
When creating an IoC scan task, only the following registry branches are scanned.
<field name="predefined_keypaths" type="wstring" multi-valued="yes" default-value=
'{
LR"(HKEY_CLASSES_ROOT\htafile)",
LR"(HKEY_CLASSES_ROOT\batfile)",
LR"(HKEY_CLASSES_ROOT\exefile)",
LR"(HKEY_CLASSES_ROOT\comfile)",
LR"(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa)",
Problem
This error appears when newest MDR Configuration files that are above 1MB in size are uploaded into KATA WebUI following the integration scenario either to establish the integration or to replace the outdated config:
https://support.kaspersky.com/KATA/3.7.2/en-US/201839.htm
Solution
Extend zip-archive file size limit from 1MB to 2MB:
Become root:
Configuring KEA update task is of crucial importance. Updated KATA telemetry filters, exclusions and performance optimizations are delivered via bases. However, KEA has no transparent means to check bases version locally.
The solution to this demand is to check bases version locally via CLI.
KEA for Windows bases date
From Elevated Command Prompt, execute:
type "C:\ProgramData\Kaspersky Lab\En
Problem
When user is added to a lot of AD groups, he may be unable to login to web interface of KATA via SSO.
Step-by-step guide
Modify /etc/opt/kaspersky/apt-swarm/swarm_config.json like this (set buffer_size to 65535 under uwsgi section - it's on bottom of the file)
2. Execute via SSH
apt-settings-manager get /configuration/web_backend | python -m json.tool > /tmp/web_backend
Problem
After "Nessus" vulnerability scanning on Central node 4.0 servers, you may see the following:
Ports: 22-tcp
Description: The remote SSH server is configured to allow key exchange algorithms which are considered weak. This is based on the IETF draft document Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH) draft-ietf-curdle-ss
Please use caution when following the steps.
This article is applicable to KATA 3.7.2 and KATA 4.0/4.1
In KATA 3.7, EDR stack is based on microservice architecture, it utilizes Docker Swarm. Containers have their own internal networking, which may cause issues in infrastructure, if the same networks are already used.
Docker uses 4 different networks:
Name
Subnet
br
Problem
You may encounter issues with KEA that may include:
Excessive resource consumption
Freezes, crashes
etc.
Solution
Install the latest available core patch.
Adding KEA CF to KEA installation package is not supported and will not work, patches need to be installed separately.
To install patch using KSC or locally use the following keys, /qn can be added for silent install as usual
How to install patch
Sometimes one may need to enable transmitted traffic capturing in KATA (in example, for local testing of Suricata detections).
Here's how to do it.
Instructions for KATA 3.7.*
In file /etc/modprobe.d/pf_ring.conf set enable_tx_capture=1. File should look like this:
options pf_ring enable_tx_capture=1 min_num_slots=16384
If you are writing your own rules for YARA engine on Central Node, you may need available modules in YARA and engine version.
Engine version is 3.7-3.11 in KATA 3.7.x
Engine version is 4.10 in KATA 4.1 and KATA 5.0
Here's the list of modules:
tests
pe
elf
math
time
pe_utils
magic
hash
dotnet
dex
For more info on modules, please refer to YARA documentation.
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
How to monitor KATA system health such as CPU, HDD, Memory usage, services status and etc? How to output this information?
Locally, monitoring product operation and component health can be done in KATA dashboard. CPU, memory or similar metrics can be viewed using built-in Linux tools in support mode. Available remote monitoring options are:
Using SNMP
Hearbeats in SIEM integration
In EDR Security officer can create a hash-based prevention rule for workstation. Here's the list of activities to which prevention rules apply:
Agent should control and prevent read access of the following file formats by the following apps:
App:
winword.exe
wordpad.exe
excel.exe
Problem
KEA writes in its event logs numeric task states.
Solution
Number
Meaning
0
Unknown
1
PreparedToStart
2
Starting
3
Started
4
Stopping
5
Stopped
KATA / EDR is using only one certificate for all connections (like WebServer and Client Connections). When you plan to replace it, do it in an early stage of deployment.
If you want to replace the TLS certificate, you will need to:
Reauthorize mail sensors (KSMG, KLMS) on Central Node.
Reconfigure connection of Central Node, PCN and SCN to Sandbox.
Reconfigure Endpoint Agent traffic redirection to Sensor and trusted connection with Endpoint Agent.
Upload a new c
This article applies to Endpoint Agent for Linux. To collect LENA debug or ANY traces, please follow this guide.
Default traces location is '/var/log/kaspersky/epagent/'.
Default dumps location is '/tmp/agentdumps'
Public collect.sh script was updated to collect LENA-related information and gather these folder as well.
How to: enable LENA ANY traces
For KATA-EDR (on-premises) customers to tune LENA performance by exclusions, ANY level logs are required. To enable ANY log
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
We suggest free and lightweight client, part of Putty: pscp.
Step-by-step guide
You can download pscp.exe for Windows from official site.
Navigate to the folder with pscp.exe and start cmd or powershell there
To copy files to KATA, run the following command:
.\pscp.exe -scp <path to loc
Issue
"Databases and modules update task" is configured for hosts with LENA 3.12 installed.
Task is executed via KSC.
Diagnostics
"Activate KEA" task is configured for the hosts with LENA or has been configured and deleted in the past.
An update is executed locally, using lenactl works.
KLNagent successfully synchronizes with the server. Other installed applications (e.g. KESL) display no synchronization issues.
Workaround
To fix the issue:
KATA doesn't have auto removal for inactive agents, and also it doesn't have support for VDI scenarios yet.
So if you have many VDI clients in use, they will quickly fill up the license.
Step-by-step guide
KATA 3.7.2
You can set up cron task to remove clients periodically, for example, this code will remove clients older than 3 days
sudo -u kluser psql antiapt -c "delete from agent_status where last_packet_ti
