Description
You may want to allow certain users to do everything, but without giving them access to modify policies, manage users, or assign roles. However, when using default roles provided by KSC, some permissions are either too broad or unchangeable.
Steps to Create the Custom Role:
Open Kaspersky Security Center.
Go to Administration Server Properties → Users Roles.
Click “Add” to create a new role.
Enter a role name (e.g., Rule for Hospitals).
The best practice is to back up your current Administration Server and then install the new version of Kaspersky Security Center.
To do so, follow these steps:
Back up the data of Kaspersky Security Center using one of the methods described below:
Backup and Restore Wizard
Backup task
Check if you can install Kaspersky Security Center on your current server. For system requirements, see Online Help.
Then export the list of currently inst
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Make sure the network agent of KSCCC has already been implemented:
Download the Network agent installer of KSCCC from the web console.
Click the installer and confirm that it has already has been installed and click OK.
Finding the HDS site which is used by this NA:
Run the klnagchk utility within C:\Program Files (x86)\Kaspersky Lab\NetworkAgent to check the network conn
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
If two different update agents on a PC are assigned in different ways:
To an administration group.
Based on a network location.
Which one will have a higher priority for the PC?
Among the update agents assigned to administration groups, the one assigned to the administration group, that is closest to the target host in the group hierarchy, has the higher priority. If the upd
RDP connection invoked via KSC console uses hostname to connect to a host - mstsc.exe is invoked with /v hostname parameter.
Edit command line used to invoke mstsc.exe with ip address parameter instead of the hostname:
Open Custom tools → Configure custom tools
Select Remote Desktop, click Modify
Edit Command line text box, it should contain <host_ip> instead of <A>:
The ability to modify the ciphers used by the product to communicate with port 13292 published on the Internet is required.
Step-by-step guide
You cannot change the ciphers used on a particular port, but you can change the cipher modes used by the MDM server on all listening ports.To do so, you will need to create a global variable KLTR_ENV_SSL_CIPHER_SUITE and restart Kaspersky Security Center server.
You can familiarize yourself with the format of the values at this link https://w
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
This is a small guide about Chrome Developer tools for collecting logs.
1. Open the Chrome menu and select More tools → Developer tools or press Ctrl+Shift+I.
2. Temporarily ignore the opened sidebar and open KSC Web Console.
3. Sign in using correct credentials. Wait until the page loads. If the loading of the page takes too long, wait a minute before moving on to the
General information on ConnectWise Manage integration can be found in online help.
Kaspersky Security Integration Service for MSP log
To collect diagnostic log for Kaspersky Security Integration Service for MSP you need to take the following steps:
Navigate to C:\Program Files\Kaspersky Lab\Kaspersky Security Integration Service for MSP;
Open file IntegrationServer.exe.config
Set minlevel attribute to "Debug":
General information on ConnectWise Manage integration can be found in online help.
Enabling and disabling tracing
You may have to save traces of Kaspersky Security Integration with Autotask, for example, if you contact Technical Support and they ask you to provide the traces for diagnostics and troubleshooting. It is recommended to disable tracing when the issue is resolved, as tracing requires additional resources and additional memory to store trace files. It is also recommended to r
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Dynamic hosts require more KSC resources than regular hosts.
When a new host is connected to KSC (and the dynamic host is considered new), an icon and a new entry in the database are created, full synchronization with the agent is performed, and the host moved to a group. When the host is deleted, all information about it is deleted as well.
These operations consume a lot of KSC resources, while static
Problem
Network agent upgrade fails. Network Agent installation from an .msi package different from the new .msi package is the root cause. See the below logs:
KLNAG_INS_MSI: CheckInstalledMsiName: installed name 'KasperskyNetworkAgent', installed ext '.msi'
MSI_UTILS: CAGetProperty(OriginalDatabase) called...
KLNAG_INS_MSI: CheckInstalledMsiName: installing name 'Kaspersky Network Agent', installing ext '.msi'
KLNAG_INS_MSI: CheckInstalledMsiName: names are NOT equal
Solution
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Problem
When you assign KSC as WSUS all hosts are not able to download anything from Microsoft Store. It is a Microsoft's design limitation.
Description
When KSC acts as WSUS group policy (GPO) "DoNotConnectToWindowsUpdateInternetLocations" is applied to the hosts. It is needed to prohibit hosts from downloading updates from the Internet (it is relevant for Windows 10/Server 2016). Such
General information on ConnectWise Manage integration can be found in online help.
Enabling and disabling tracing
You may have to save traces of Kaspersky Security Integration with Tigerpaw, for example, if you contact Technical Support and they ask you to provide the traces for diagnostics and troubleshooting. It is recommended to disable tracing when the issue is resolved, as tracing requires additional resources and additional memory to store trace files. It is also recommended to r
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
When running security analyzers on KSC server you may occasionally get warnings about outdated OpenSSL libraries. Normally these vulnerabilities can not be exploited as the OpenSSL library is used in a very specific way.
If vulnerable OpenSSL libraries were found in C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\protcomp then there is actually no way to exploit it. Due to this fact this library is us
Problem
Sometimes it is necessary to replace the KSN proxy address in products like KSWS, KESS or KES after restoring KSC from backup or when Server moved to new Hardware.
Unfortunately, there are no settings in the policy for this.
Solution
The corresponding option can be found in the properties of Installation packages node in KSC.
See the effects of changing this value:
Note that after changing these settings, you must also rebuil
If there are many outdated entries in Executable files list in computer's properties or on a server, there is a way to bring it up-to-date.
Step-by-step guide
There is a hidden Actualization task that runs at the end of the Inventory task. To use this functionality and quickly update the list of executables, do the following:
Create an Inventory task
Set Inventory scope to either empty or very small folder
Run it
Since the scope of work is small, th
You can set and run PLC Project Integrity Check task in KICS4Nodes console. But it is not clear how to add PLC projects into the task settings in the KSC Console.
Before PLC Project Integrity Check task setting the PLC Project Investigation task should be successfully executed.
Step-by-step guide
Go to the KICS4Nodes policy -> Properties -> Logs and Notifications -> Interaction with Administration Server | Settings.
Enable Versions of PLC projects op
General information on ConnectWise Automate integration can be found in online help.
LabTech service logs
You can access service logs on a LabTech server by launching LabTech Control Center and then navigating to Dashboard → Management → Service Logs. Then select Go To Computer and select LabTech server.
To view diagnostic info for managed client hosts you should first refresh the information by clicking Commands → LabTech →Send LabTech Error Log. On both LabTech servers and
Description and cautions
You may experience low time to live value set in ICMP network packets sent by klnagents.
The following can be seen in wire shark traffic dump:
Explanation:
There are two modes of distribution point search:
0 - search of the nearest DP using a tool similar to traceroute. It generates a number of ICMP packets to find out the neatest route to DP - this is the default mode.
1 - selection of random DP without sending such amount of ICMP p
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Which task is responsible for downloading third party Application updates?
Updates metadata is downloaded by Download Updates to the repository task. Updates themselves are downloaded by Install updates and fix Vulnerability task.
What is a source folder containing the third party application updates on the administration server?
3rd party updates are downloaded into the folder C:\ProgramData\Kasper
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
These errors appear when the remote installation task of NAgent or KES with NAgent was created with the Assign package installation in Active Directory group policies option selected.
At the first startup they start under the account specified in the New Task Wizard. If that user has access for creating domain policies and groups, the task will be completed successfully, and "GPO" and "Security Group" w
This info applies to KSC12-14.2.
Web Console port can be changed from default port 8080 to 443 or any other port not occupied by the operating system or a third-party application.
1. Open file "C:\Program Files\Kaspersky Lab\Kaspersky Security Center Web Console\server\config.json" with any text editor and type the port you would like to use instead of 8080:
2. Restart all Kaspersky Security Center Web Console services via services.msc to apply changes.
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
0 - Update completed successfully
1 - All files are up-to-date (No available updates)
Result codes depending on OS type:
Windows
Linux(FreeBSD)
Return code description
-1
255
Co
To troubleshoot SNMP functionality in KSC specific traces should be collected.
Step-by-step guide
To collect traces:
Download archive
Use trace-5-snmpagt.reg to start trace
Reproduce the issue
Use trace-off-snmpagt.reg to stop trace
Archive files and send to Kaspersky Support.
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Problem Description
Error "Error 1181/0x91 ('System error 0x91 (The directory is not empty.)') occured while deleting directory 'C:\ProgramData\KasperskyLab\adminkit\1103''" when installing Network Agent.
The error can be found on a screenshot.
How To Fix
Make sure that the folder ‘C:\ProgramData\KasperskyLab\adminkit\1103’ actually exists.
If you can navigate to this fo
