Description and cautions
The article is giving some use cases examples of KSC API calls to ease one's start using the API. In that KB we are looking at host isolation with KES/KEA scenario.
For the Windows version of cURL, you need to specify that the arguments need to be escaped with "\", otherwise there will be an error. For example: 'Authorization: KSCBasic user=\"YXBpLXVzZXI=\", pass=\"cGFzc3dvcmQ=\", internal=\"1\"'
Details
Prerequisites
internal use
If you accidentally deleted a device from KSC, you can either wait until the next sync (15 minutes by default), or run these commands in a cmd started as administrator:
cd C:\Program Files (x86)\Kaspersky Lab\NetworkAgent
klnagchk.exe -sendhb
Or this command, if you deleted a device running linux:
sudo /opt/kaspersky/klnagent64/bin/klnagchk -sendhb
After that the device should reappear in Unassigned devices.
Description
You may want to allow certain users to do everything, but without giving them access to modify policies, manage users, or assign roles. However, when using default roles provided by KSC, some permissions are either too broad or unchangeable.
Steps to Create the Custom Role:
Open Kaspersky Security Center.
Go to Administration Server Properties → Users Roles.
Click “Add” to create a new role.
Enter a role name (e.g., Rule for Hospitals).
Sometimes you want to use Connection Gateway for roaming hosts, but you don't want to use the default connection port (13000). To achieve that you can use the following solution.
Step-by-step guide
Open NAgent policy.
Network → Connection section.
Open connection profile properties.
Set necessary port after CG address (see screenshot).
This article is about Kaspersky Security Center for Windows (KSC for Windows)
In this article we will share the steps on how run a .bat file remotely through Kaspersky Security Center (KSC).
How to execute a batch file on the remote hosts
Create an installation package based on a file
Create a remote installation task for that Installation package
Assign the task to a target hosts and start it
During task execution NAgent will run the file using a 32-bi
General information on ConnectWise Manage integration can be found in online help.
Kaspersky Security Integration Service for MSP log
To collect diagnostic log for Kaspersky Security Integration Service for MSP you need to take the following steps:
Navigate to C:\Program Files\Kaspersky Lab\Kaspersky Security Integration Service for MSP;
Open file IntegrationServer.exe.config
Set minlevel attribute to "Debug":
General information on ConnectWise Automate integration can be found in online help.
LabTech service logs
You can access service logs on a LabTech server by launching LabTech Control Center and then navigating to Dashboard → Management → Service Logs. Then select Go To Computer and select LabTech server.
To view diagnostic info for managed client hosts you should first refresh the information by clicking Commands → LabTech →Send LabTech Error Log. On both LabTech servers and
General information on ConnectWise Manage integration can be found in online help.
Enabling and disabling tracing
You may have to save traces of Kaspersky Security Integration with Autotask, for example, if you contact Technical Support and they ask you to provide the traces for diagnostics and troubleshooting. It is recommended to disable tracing when the issue is resolved, as tracing requires additional resources and additional memory to store trace files. It is also recommended to r
General information on ConnectWise Manage integration can be found in online help.
Enabling and disabling tracing
You may have to save traces of Kaspersky Security Integration with Tigerpaw, for example, if you contact Technical Support and they ask you to provide the traces for diagnostics and troubleshooting. It is recommended to disable tracing when the issue is resolved, as tracing requires additional resources and additional memory to store trace files. It is also recommended to r
RDP connection invoked via KSC console uses hostname to connect to a host - mstsc.exe is invoked with /v hostname parameter.
Edit command line used to invoke mstsc.exe with ip address parameter instead of the hostname:
Open Custom tools → Configure custom tools
Select Remote Desktop, click Modify
Edit Command line text box, it should contain <host_ip> instead of <A>:
If there are many outdated entries in Executable files list in computer's properties or on a server, there is a way to bring it up-to-date.
Step-by-step guide
There is a hidden Actualization task that runs at the end of the Inventory task. To use this functionality and quickly update the list of executables, do the following:
Create an Inventory task
Set Inventory scope to either empty or very small folder
Run it
Since the scope of work is small, th
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
1) Go to Programs and features and find WebConsole
2) Press Change/uninstall
3) Choose Upgrade mode
4) Follow the wizard and you will be able to change port and list of trusted servers.
General information on Solarwinds N-Central integration can be found in online help.
Trace logs are not created by this plugin. The integration with Solarwinds is based on PowerShell scripts launched on Solarwinds side. The only diagnostic information that is required in case of problems is the output of these scripts that can be found in SolarWinds UI.
If you are using the MMC console with different servers, you may want to keep a list of configured servers after upgrading to a new version. Fortunately, this is possible.
Step-by-step guide
Follow these steps before the upgrade.
Save Kaspersky Security Center XX file from C:\Users\%username%\AppData\Roaming\Microsoft\MMC
Upgrade.
Start and close the MMC console.
Remove newly create Kaspersky Security Center XX file from C:\Users\%username%\AppData\Roaming\
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
In cases when some data is not displayed/shown properly in the MMC administration console, for example, data in the right pane is not displayed properly:
One of the most common reasons of such behavior may be blocked/prohibited execution of JS in the Internet Explorer on the host with the console.
This can be easily identified by the following test:
Step-by-step guide
Star
The ability to modify the ciphers used by the product to communicate with port 13292 published on the Internet is required.
Step-by-step guide
You cannot change the ciphers used on a particular port, but you can change the cipher modes used by the MDM server on all listening ports.To do so, you will need to create a global variable KLTR_ENV_SSL_CIPHER_SUITE and restart Kaspersky Security Center server.
You can familiarize yourself with the format of the values at this link https://w
There is a known limitation in KSC. When hosts are managed from different domains and there are hosts with the similar names in these domains then 'doubles' will appear.
To avoid this, use FQDN (fully qualified domain name) as a display name instead of NETBIOS name.
Step-by-step guide
Set up the following server flag:
SrvUseFqdnAsDisplayNames
[HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1093
Problem
KSC Web Console can be used for monitoring purposes. It is particularly important to have no timeout disconnection errors in this scenario.
To avoid them, the timeout before Web Console disconnects can be increased.
Step-by-step guide
All you have to do is the following:
Edit node.js web server config file located at C:\Program Files\Kaspersky Lab\Kaspersky Security Center Web Console\server\config.json
Change the following values and restart KSC WC se
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Problem
There is no mechanism to replace client root certificate used for iOS MDM via reserve certificate.
That's why replacing the client root certificate used for iOS MDM will cause iOS MDM server to lose synchronization with all devices.
Details of active certificate can be viewed in the properties of iOS MDM server, on the "Certificates' tab.
Step-
Article applies to KSC13-14.2 versions.
Sometimes you need to keep KSC tracing on for a long period of time to catch the error and there is little disk space left on the system disk.
Step-by-step guide
There is a way to change the default location of $klserver-1093.log file - use klscflag.exe utility"
klscflag.exe -tset -pv "klserver" -l 4 -d O:\Temp
O:\temp can be changed to any existing folder name in file system. Remember to create this folder before run
Problem
Sometimes it is necessary to replace the KSN proxy address in products like KSWS, KESS or KES after restoring KSC from backup or when Server moved to new Hardware.
Unfortunately, there are no settings in the policy for this.
Solution
The corresponding option can be found in the properties of Installation packages node in KSC.
See the effects of changing this value:
Note that after changing these settings, you must also rebuil
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Make sure the network agent of KSCCC has already been implemented:
Download the Network agent installer of KSCCC from the web console.
Click the installer and confirm that it has already has been installed and click OK.
Finding the HDS site which is used by this NA:
Run the klnagchk utility within C:\Program Files (x86)\Kaspersky Lab\NetworkAgent to check the network conn
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
In this scenario we will create an internal user "test-user" on KSC who has permission on admin group "Virtualized" only, while couldn't view nor manage admin groups "servers" and "workstations".
Step-by-step guide
1. Take a backup from KSC admin server in order to make sure that incorrect changes will not impact your KSC.
2. Login to KSC admin server using admin account and go to KSC admin serve
Maximum validity of the custom certificate (administration server/web console):
A maximum of 5 years can be stored as the maximum validity for the certificate for the administration server
The maximum validity for the certificate for the web console cannot exceed 397 days
Two different certificates must be used:
After the specified time has expired, a new certificate must be generated manually (at best 90 days in advance) and stored as a replacement certificate. Cli
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
0 - Update completed successfully
1 - All files are up-to-date (No available updates)
Result codes depending on OS type:
Windows
Linux(FreeBSD)
Return code description
-1
255
Co
