Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
This article is about Kaspersky Endpoint Security for Windows (KES for Windows)
This informational message does not mean that Self-Defense accuses any process of being under malware attack, it proactively blocks certain operations that could pose a potential threat to processes.
The number of events depends on the activity of applications that inhabit the system, especially from their periodic acti
Problem
There are several problems with similar causes:
1) KESL postinstall script produces error.
Warning: Failed to set up KSN
2) KESL is installed and running. However, the kesl-control command outputs something like that:
kesl-control --app-info
Connection refused. Invalid user permissions for /var.
Only root user should have write access to this path.
kesl-control --app-info
Could not connect to Kaspersky Endpoint Security 11.2.2 for Linux
Problem
kesl-control --app-info outputs the following error:
en
File Threat Protection: Unavailable due to file interceptor driver error
One of the most common root causes is Fanotify is disabled (or KESL could not access it) and kernel module compilation also failed.
A special utility can be used for this directly on the affected mac
Description
Starting from KES Windows version 12.6, it can parse third-party mail base files, but still can't re-assemble them. Malware scan tasks runs in folders where mail base files for Thunderbird or TheBat! are located and finds threats in old mail items.
Diagnostics
After choosing Resolve or setting "Disinfect, delete if disinfection fails" in the KSC task, nothing changes, and another malware scan task anyway finds the same threats.
Workaround and solution
Sinc
Problem Description
While installing KES for Windows via KSC installation package the following error appears and interferes with installation.
Possible causes:
KES components installed already before installation.
Required driver files were not found.
Workaround & Solution
Use kavremover and reinstall KES with the latest patch.
In case kavremover will not help, please collect procmon and KES installation logs, actual GSI with e
How to check if KES is installed, its state (running or not) and bases version via registry:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\Components\34\1103\1.0.0.0\Statistics\AVState
More information about these registry keys is available in Online Help: https://support.kaspersky.com/ksc14/3644.
Obtaining information from the registry is for familiarization purposes only. KESCLI commands method supported by developers:
Managing the application from the command
Problem Description, Symptoms & Impact
In KES 12.0, the way Device Control component works has been changed. See changelog: https://support.kaspersky.com/help/KESWin/12.0/en-US/127969.htm
Due to these changes, you may notice that printing order becomes slow after you have upgraded KES to version 12.0 or higher. This delay may be around 30-60s or even 10-15 minutes. When you disable KES, it becomes instant. In some exceptional cases, the delay may be so big that it's impossible to p
Problem
While WTP/NTP is enabled, nft utility produces errors (stderr) like
# nft list ruleset
XT target TPROXY not found
XT target TPROXY not found
XT target TPROXY not found
XT target TPROXY not found
These errors are caused by a bug in nft ut
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Same info can be found here: https://support.kaspersky.com/16010
Starting from version 11.5, some file versions, registry and file system paths may differ from the release version and refer to the product line version.
Release full build version
Product line version
GUID
1
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
This article is about Kaspersky Endpoint Security for Windows (KES for Windows)
This problem has been observed in KES 11.5, but may apply to other versions as well.
Problem
Sometimes the KES tray icon behaves unexpectedly: it appears twice or does not appear at all (the icon next to the Windows clock).
Solution
Reset the tray icons:
Open regedit;
Go to HKEY
Scenario
Enable Network Threat Protection
Connect another Mac via a thunderbolt cable
Try to send any data from one computer to another
Connection times out
Workaround & Solution
Connect computers by other means or disable NTP when using Thunderbolt bridge.
RCA
This issue is caused by a bug in macOS' built-in packet filter and was reported to apple.
This article describes what is considered a Full Scan, which affects the KSC status "Virus Scan has not been performed for a long time".
Scan task area settings
There are two ways to set areas for a Scan task. Tasks started with any other settings (including Quick Scan and Critical Area Scan with default settings) will not be considered as a Full Scan.
Primary
Kernel Memory
Running processes and Startup Objects
Disk boot sectors
Local disk (logical di
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
This article is about Kaspersky Endpoint Security for Windows (KES for Windows)
Problem
When KES installation fails with error message "Failed to access local group policy. Error 0x80004005", installation log should be checked. If it contains something similar, follow the steps below.
MSI (s) (F4:94) [11:27:28:103]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MS
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
What is the role of Kaspersky in BitLocker encryption process ?
Basically, KES BitLocker management is a COM object that is registered in the system and changes the BitLocker component settings in accordance to the settings that are specified in the KES policy. Afterwards it stores the recovery data received from BitLocker component on the KSC side. Also, it provides error-reporting and verifies that th
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
Version: KES 11.*
Scenario:
You're unable to boot into encrypted machine after FDE applied due to some problems with preboot agent or operating system.
The the safest and one of the most trivial options to restore the data from encrypted hdd or decrypt it 'in place' is going through KES related ‘challenge-response’ procedure using another (i.e. proxy) machine with KES and FDE installed.
Problem
Application category based on the "Metadata" conditions created, but does not work.
Solution
This is expected behavior, in case the file does not have a digital signature, that can be trusted by local KES on the host in question, or is not known in KSN. Use sigcheck tool to see if the file has a valid digital signature – https://technet.microsoft.com/ru-ru/sysinternals/bb897441.aspx
Use other criteria, to determine the category (for example file hash).
Issue
Sometimes Device Control errors in KES may occur. For example, hard drives are wrongly blocked when USB device blocking is enabled, or flash drive blocking is not happening although the policies require to do so.
In some cases, the reason for erroneous blocking is that the operating system (OS) is incorrectly identifying the device type.
Solution
As an example, if the policies prohibit access to flash drives, but this rule does not always work, you can check the followi
Problem Description, Symptoms & Impact
Local installation from a standalone package fails
Diagnostics
Check installation logs of the product. We are looking for the following string:
09.02.2022 17:06:19.453 00000374.000028B4 L1 KLSTD: #1, Error was caught in KLERR_throwError, c:\a\b\a_6vlf7p9h\s\csadminkit\development2\klri\pkginst\klpkinst.cpp@1061. Error params: (1187/0x0 ("Bad parameter "VerifyCertDate""), "KLSTD", c:\a\b\a_6vlf7p9h\s\csadminkit\development2\klri\pkgi
Description
VMWare guest using Kaspersky products hanging or crashing due to driver conflicts between drivers used by VMWare NSX (vnetWFP.sys, previously vnetflt.sys) and Network Threat Protection component.
This problem is known to happen with following versions of KES and VMware Tools:
KES 11.6 with VMWare Tools 10.0.9
KES 11.6 and 11.7 with VMWare Tools 11.3.5
KES 12 with VMWare Tools 10.1.7
Troubleshooting steps
Update VMWare Tools
Somet
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
This article might be useful in the following cases:
If you want to configure multi-vendor security on endpoints, keeping both Kaspersky and Microsoft technologies;
If you don't know how to properly configure a Microsoft solution after installing KES;
If you're having some issues with the product and the OS after configuring KES and Defender.
The differences between the Defender
Description
After successful installation kesl-supervisor.service may refuse to start with the following error:
kesl-supervisor.service: Control process exited, code=exited status=203
journalctl -xe command provide more information related this error
*****
kesl-supervisor.service: Failed to execute command: Permission denied
kesl-supervisor.service: Failed at step EXEC spawning /var/opt/kaspersky/kesl/install-current/etc/init.d/kesl-supervisor:
While removing Kaspersky Security for Windows Server Console removal log may contain a message:
Error 1336. There was an error creating a temporary file that is needed to complete this installation.
Folder: C:\Program Files (x86)\Common Files\Kaspersky Lab\Kaspersky Security for Windows Server\.
System error code: 5
And if you launch removal process using an appwiz.cpl a popup will be displayed stating :
“There was an error creating a temporary file that is needed to complete
Symptoms
OS hang, sometimes with open file errors in journals
Customer application degrades with errors "unable to open file", "too many open files"
Hangs and third-party (compatibility) issues often require advanced data collection and are sophisticated to investigate. However, a quick check is possible:
On a system where KESL has worked for some time (not immediately after reboot/restart), validate the output of the following command, ran as root, for numerous r
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
This article is about Kaspersky Endpoint Security for Windows (KES for Windows)
Problem
When KES installation fails with error message "Failed to access local group policy. Error 0x80004005", installation log should be checked. If it contains something similar, follow the steps below.
MSI (s) (F4:94) [11:27:28:103]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MS
Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.
This article is about Kaspersky Endpoint Security for Windows (KES for Windows)
Trojan.Multi.Accesstr detection is triggered when KES detects that one of Windows utilities in %systemroot%\system32 folder is replaced by cmd.exe or powershell.exe. Please see below for a list of affected files with exact detection names. Detection event looks like this:
