Description and cautions
The article is giving some use cases examples of KSC API calls to ease one's start using the API. In that KB we are looking at host isolation with KES/KEA scenario.
For the Windows version of cURL, you need to specify that the arguments need to be escaped with "\", otherwise there will be an error. For example: 'Authorization: KSCBasic user=\"YXBpLXVzZXI=\", pass=\"cGFzc3dvcmQ=\", internal=\"1\"'
Details
Prerequisites
internal use
This article is about Kaspersky Security Center for Windows (KSC for Windows)
Problem:
KSC certificate renewal or replacement is made incorrectly because the option to instantly replace the server certificate is used.
As a result, managed devices loose the connection with KSC and klmover command or re-installation of klnagent is required to restore the connectivity.
Cause:
After the certificate is renewed with "-t C" option, network agent
In this article we will share the steps on how to run a batch (*.bat) file remotely through Kaspersky Security Center (KSC) on Windows devices.
Other script types and binary file formats (for example, Powershell (*.ps1), EXE-files, MSI installers) must be run from the batch file too. KSC does not support direct execution of other formats, this can lead to unexpected task behavior.
Depending on the KSC console type you must prepare the script file with additional files:
As an a
Windows
Unpack the archive (add_category.rar) on any device that has access to the Administration Console port of the Administration Server.
Create a text file with needed hashes, by default the script expects it to be sha256.txt in script's working directory.
Edit add_category.cmd with specified KSC username, password, server address, name of the text file with hashes (file should be saved in UTF-8 encoding)
If a category with the specified name already exists, it k
Problem
In Kaspersky Security Center Network Agent (klnagent) 15.1 and more recent versions, klmover tool requires klnagent uninstallation password to re-connect a managed host to another Administration Server: https://support.kaspersky.com/ksc/15.1/227839
If the password is not set in the policy, it is not required to be specified in command line via the parameter: -nauninstpwd
If klmover is executed directly through a Command Prompt, the parameter will work as expected. However, if
KSC installer generates default passwords for service accounts (automatically created to run KSC service), KIPxeUser and KIScSvc.
Those passwords have 16 characters length, characters are taken randomly so that the password contain 3 out of 4 of the following groups of characters:
Lowercase characters (a – z)
Uppercase characters (A – Z)
Numbers (0-9)
Symbols (~ ! @ # $ % ^ & * - _ + = [ ] { } | \ : ' , . ? / ` ~ " < > ( )
Also the password cann
There is a known limitation in KSC. When hosts are managed from different domains and there are hosts with the similar names in these domains then 'doubles' will appear.
To avoid this, use FQDN (fully qualified domain name) as a display name instead of NETBIOS name.
Step-by-step guide
Set up the following server flag:
SrvUseFqdnAsDisplayNames
[HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1093
This article is about Kaspersky Security Center for Windows (KSC for Windows)
Step-by-step guide
Make sure that System Management license is installed, otherwise KSC events won't be exported to SIEM. For more information please refer to SIEM integration: the most frequent error.
Specify Splunk Server address and port;
Login into Splunk Management console;
Press Settings → Configure data inputs;
In the o
Sometimes you want to use Connection Gateway for roaming hosts, but you don't want to use the default connection port (13000). To achieve that you can use the following solution.
Step-by-step guide
Open NAgent policy.
Network → Connection section.
Open connection profile properties.
Set necessary port after CG address (see screenshot).
In some cases klakaut traces should be collected for diagnostics.
Step-by-step guide
To do so:
Import klakaut-on_x*.reg file.
Restart klakaut service.
net stop klakaut
net start klakaut
Enable another trace if required.
Reproduce the issue.
Impor
Problem
KSC Web Console can be used for monitoring purposes. It is particularly important to have no timeout disconnection errors in this scenario.
To avoid them, the timeout before Web Console disconnects can be increased.
Step-by-step guide
All you have to do is the following:
Edit node.js web server config file located at C:\Program Files\Kaspersky Lab\Kaspersky Security Center Web Console\server\config.json
Change the following values and restart KSC WC se
Description
You may want to allow certain users to do everything, but without giving them access to modify policies, manage users, or assign roles. However, when using default roles provided by KSC, some permissions are either too broad or unchangeable.
Steps to Create the Custom Role:
Open Kaspersky Security Center.
Go to Administration Server Properties → Users Roles.
Click “Add” to create a new role.
Enter a role name (e.g., Rule for Hospitals).
For any types of issues with tasks managed by KSC, we require export of task execution history in .txt file. Task execution history is a sequence of events generated by client computer during task execution.
Step-by-step guide
To export task execution history, follow these steps:
Open task results window.
In the upper part of the task results window, select problem computer.
Right-click some event in the lower part of the task results window,
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
You're using KSC as WSUS server and moving the Windows Update folder to another drive so it won't occupy space on the C drive. However, when you're downloading Windows updates to KSC, the “C:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer” folder is increasing its size up to 15.5 GB.
Solution
Here is the procedure:
Make a backup copy of KSC.
Stop KSC service
C
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
In this scenario we will create an internal user "test-user" on KSC who has permission on admin group "Virtualized" only, while couldn't view nor manage admin groups "servers" and "workstations".
Step-by-step guide
1. Take a backup from KSC admin server in order to make sure that incorrect changes will not impact your KSC.
2. Login to KSC admin server using admin account and go to KSC admin serve
Maximum validity of the custom certificate (administration server/web console):
A maximum of 5 years can be stored as the maximum validity for the certificate for the administration server
The maximum validity for the certificate for the web console cannot exceed 397 days
Two different certificates must be used:
After the specified time has expired, a new certificate must be generated manually (at best 90 days in advance) and stored as a replacement certificate. Cli
Description and cautions
You may experience low time to live value set in ICMP network packets sent by klnagents.
The following can be seen in wire shark traffic dump:
Explanation:
There are two modes of distribution point search:
0 - search of the nearest DP using a tool similar to traceroute. It generates a number of ICMP packets to find out the neatest route to DP - this is the default mode.
1 - selection of random DP without sending such amount of ICMP p
Problem
Sometimes it is necessary to replace the KSN proxy address in products like KSWS, KESS or KES after restoring KSC from backup or when Server moved to new Hardware.
Unfortunately, there are no settings in the policy for this.
Solution
The corresponding option can be found in the properties of Installation packages node in KSC.
See the effects of changing this value:
Note that after changing these settings, you must also rebuil
NOTE: KSC CC is a cloud solution and its IP can be changed.
Run klnagchk utility on connected to target workspace host.
Find KSC CC server address in klnagchk output. It should looks like eXXX.ksc.kaspersky.com.
Use nslookup utility to find the IP address of this server.
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Make sure the network agent of KSCCC has already been implemented:
Download the Network agent installer of KSCCC from the web console.
Click the installer and confirm that it has already has been installed and click OK.
Finding the HDS site which is used by this NA:
Run the klnagchk utility within C:\Program Files (x86)\Kaspersky Lab\NetworkAgent to check the network conn
This info applies to KSC12-14.2.
Web Console port can be changed from default port 8080 to 443 or any other port not occupied by the operating system or a third-party application.
1. Open file "C:\Program Files\Kaspersky Lab\Kaspersky Security Center Web Console\server\config.json" with any text editor and type the port you would like to use instead of 8080:
2. Restart all Kaspersky Security Center Web Console services via services.msc to apply changes.
To troubleshoot SNMP functionality in KSC specific traces should be collected.
Step-by-step guide
To collect traces:
Download archive
Use trace-5-snmpagt.reg to start trace
Reproduce the issue
Use trace-off-snmpagt.reg to stop trace
Archive files and send to Kaspersky Support.
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
This is a small guide about Chrome Developer tools for collecting logs.
1. Open the Chrome menu and select More tools → Developer tools or press Ctrl+Shift+I.
2. Temporarily ignore the opened sidebar and open KSC Web Console.
3. Sign in using correct credentials. Wait until the page loads. If the loading of the page takes too long, wait a minute before moving on to the
You can set and run PLC Project Integrity Check task in KICS4Nodes console. But it is not clear how to add PLC projects into the task settings in the KSC Console.
Before PLC Project Integrity Check task setting the PLC Project Investigation task should be successfully executed.
Step-by-step guide
Go to the KICS4Nodes policy -> Properties -> Logs and Notifications -> Interaction with Administration Server | Settings.
Enable Versions of PLC projects op
Article applies to KSC13-14.2 versions.
Sometimes you need to keep KSC tracing on for a long period of time to catch the error and there is little disk space left on the system disk.
Step-by-step guide
There is a way to change the default location of $klserver-1093.log file - use klscflag.exe utility"
klscflag.exe -tset -pv "klserver" -l 4 -d O:\Temp
O:\temp can be changed to any existing folder name in file system. Remember to create this folder before run
