This article is about Kaspersky Security Center for Windows (KSC for Windows)
Problem
You set up integration with SIEM but no events come up on SIEM side. In some cases there is no incoming traffic to SIEM from KSC server.
Solution
In vast majority of cases the root cause can be located in KSC server trace
Trace example #1
25.01.2017 09:56:56.855 00001320.0000015C L1 KLSPLG: There is no key for SystemM
The problem is in the certificate - it has a 1024 bit long key. While Web Console now works only with 2048 bit long keys.
The customer needs to reissue KSC server certificate to 2048 key length.
What to do -
1. Generate reserve KSC certificate - for example by using command -
klsetsrvcert -t CR -g "dns_name" -o "RsaKeyLen:2048"
where DNS name is DNS name of KSC
2. Wait several days - hosts will connect to KSC and receive reserve cert.
The customer could check on c
Issue
An attempt to send POST request via KPSN API from a Windows client.:
curl --cert C:\\Users\\user_A\\Desktop\\kpsn_api
kpsn_api_crt.pem --key C:\\Users\\user_A\\Desktop\\kpsn_api
kpsn_api_key.pem -k -X POST -d "{\\"action
": \\"check_url\\",\\"data
": {\\"urls
": [\\"website1.com
"]}}" https://10.90.116.27:80/api/
Fails with the following error:
curl: (58) schannel: Failed to import cert file C:\\Users\\user_A\\Desktop\\kpsn_api
kpsn_api_crt.pem, last error is 0x80092002
Th
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Problem
You change the account of the administration server service via the klsrvswch tool. Note that this is the only way to change the account, manual modification (for example, via services.msc) is not supported.
Then, the you run the Install required updates and fix vulnerabilities task.
As a result, the task is cancelled and updates are not installed.
Diagnostics
The following
In NAgent 15, klmover was updated and now requires NAgent uninstallation password, if it is set in NAgent's policy. Right now the password can't be passed to klmover as an argument, but it can be supplied via echo:
echo <password>|klmover -address <administration server ip>
Because cmd doesn't parse quotes and spaces in echo properly, if klmover is star
Scenario
After the deployment of KSC in the environment, the Backup task fails with the following error using the KSC Backup task or klbackup utility (screenshot is below).
All the permissions were correctly assigned on the shared folder, and ports were opened, but still the backup was failing. There were no blocking events in the Firewall traffic logs.
Error -1963 ('Database connection is broken " 'Connection failure{08S01};' LastStataement='select type from sys.system_object whe
Problem Description, Symptoms & Impact
The installation of the Network Agent isn't possible on a device because of the error System error 0x1F (A device attached to the system is not functioning.)
Diagnostics
In the MSI Log and Application Eventlog can be found the following line:
(1192/0x0 ("System container 'LOC-PUB-6EEB50F8D2EB46029DB4CCB77E0DA651' is corrupt")
Workaround & Solution
The issue comes from a corrupt cryptostorage in the OS. It's not a KL rel
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Product: Any KSC version
Problem Description, Symptoms & Impact
Network Agent local installation errors: "Setup Wizard cannot process the command line", "Setup wizard cannot process the internal error."
Diagnostics
Error can be found on the screenshots or in the installation log.
Workaro
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Product: KSC 11 and more recent versions
Consider the following problematic scenario:
You use a caching proxy server to download updates for the KSC Server, for example, Squid. KSC is configured to download updates via https (default config).
$up2date-1103-eka.log analysis
KL uses the HTT
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Product: KSC 11+
Applies also to the update utility version 4.1 and more recent.
Consider the following problematic scenarios:
You have installed KSWS on the KSC server and enabled Traffic Security component and Traffic Security uses MITM mechanism to analyze traffic.
You use a 3rd party sof
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Consider the following scenario:
You have a large local area network 10.36.0.0/16. There is a managed device with the following IP config: IPv4 address: 10.36.35.10 and Subnet Mask: 255.255.255.0. You create a new subnet condition for klnagent connection profile: 10.36.0.0/16.
Actual result:
The connection profile is not applied to the managed device.
The reason of this behavior is equali
The best practice is to back up your current Administration Server and then install the new version of Kaspersky Security Center.
To do so, follow these steps:
Back up the data of Kaspersky Security Center using one of the methods described below:
Backup and Restore Wizard
Backup task
Check if you can install Kaspersky Security Center on your current server. For system requirements, see Online Help.
Then export the list of currently inst
Description and cautions
That article is describing KSC rel. 13.2 to rel. 14.x SW upgrade procedure.
Prerequisites
KSC 13.2 on MS Windows
S/N
Action
Online-Help
1
Download the KSC 14 Version
2
Take the backup of KSC Administration
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
The article is giving a working configuration instructions for domain authentication by using NTLM and Kerberos protocols.
NOTE: Domain authentication in OpenAPI over Kerberos protocol has the following restrictions:
Administration Server address must be specified exactly as the address for which the Service Principal Name (SPN) is registered for domain account name.
In the domain, yo
Description and cautions
The article shares working examples of using KSC API calls for one of the available scenarios - retrieving tasks results and statistics data for Dashboards and Reports.
For the Windows version of cURL, you need to specify that the arguments need to be escaped with "\", otherwise there will be an error. For example: 'Authorization: KSCBasic user=\"YXBpLXVzZXI=\", pass=\"cGFzc3dvcmQ=\", internal=\"1\"'
Details
Prerequisites
internal
Description and cautions
The article shares working examples of using KSC API calls for one of the available scenarios - publishing KSC virtual server Administration Agent package.
For the Windows version of cURL, you need to specify that the arguments need to be escaped with "\", otherwise there will be an error. For example: 'Authorization: KSCBasic user=\"YXBpLXVzZXI=\", pass=\"cGFzc3dvcmQ=\", internal=\"1\"'
Details
Prerequisites
Make sure
Description and cautions
The article shares working example of using KSC API calls for one of the available scenarios - retrieving events, HW and/or SW inventory data.
For the Windows version of cURL, you need to specify that the arguments need to be escaped with "\", otherwise there will be an error. For example: 'Authorization: KSCBasic user=\"YXBpLXVzZXI=\", pass=\"cGFzc3dvcmQ=\", internal=\"1\"'
Details
Prerequisites
internal user: api-user
Exa
Description and cautions
That article is describing a specific scenario: HA Cluster KSC with 4 CGWs between two different and geographical isolation DC (Data Center).
High level procedure:
KLAdmins group: ksc, rightless / gmsa-ksc-server, gmsa-ksc-nwc; $KSC-NODE-1, $KSC-NODE-2, $SQL-SRV / sql / gmsa-sql-server
SMB shares: data, state, sc_backup, kl-share |
SMB Permissions NTFS ACL - - Full Control for KLAdmins
Created MS SQL Database - KLFOC | Grand Access
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Problem Description
Error "Error 1181/0x91 ('System error 0x91 (The directory is not empty.)') occured while deleting directory 'C:\ProgramData\KasperskyLab\adminkit\1103''" when installing Network Agent.
The error can be found on a screenshot.
How To Fix
Make sure that the folder ‘C:\ProgramData\KasperskyLab\adminkit\1103’ actually exists.
If you can navigate to this fo
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Which task is responsible for downloading third party Application updates?
Updates metadata is downloaded by Download Updates to the repository task. Updates themselves are downloaded by Install updates and fix Vulnerability task.
What is a source folder containing the third party application updates on the administration server?
3rd party updates are downloaded into the folder C:\ProgramData\Kasper
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
KSC13 introduced a feature that limits the frequent publication of events. In the event that the event storage overflows on the Server, the most common event in the storage is calculated, and such events are blocked when published on hosts.
Problem:
Machines have status "Virus scan wasn't performed for a long time" but the "Virus scan" task was started recently.
Events that oc
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
These errors appear when the remote installation task of NAgent or KES with NAgent was created with the Assign package installation in Active Directory group policies option selected.
At the first startup they start under the account specified in the New Task Wizard. If that user has access for creating domain policies and groups, the task will be completed successfully, and "GPO" and "Security Group" w
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
When troubleshooting typical KSC issues, you will likely need to check the availability of TCP port 13000 on the KSC Server. Both telnet and akconnect tools can be used to achieve this. Syntax is very simple:
akconnect host port
Examples:
akconnect.exe 192.168.1.19 13000 >akconnectoutput.txt
telnet 192.168.1.19 13000 >telnetoutput.txt
Where 192.168.1.19 is the IP address or DN
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
If two different update agents on a PC are assigned in different ways:
To an administration group.
Based on a network location.
Which one will have a higher priority for the PC?
Among the update agents assigned to administration groups, the one assigned to the administration group, that is closest to the target host in the group hierarchy, has the higher priority. If the upd
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Dynamic hosts require more KSC resources than regular hosts.
When a new host is connected to KSC (and the dynamic host is considered new), an icon and a new entry in the database are created, full synchronization with the agent is performed, and the host moved to a group. When the host is deleted, all information about it is deleted as well.
These operations consume a lot of KSC resources, while static
