Overview

Description You may want to allow certain users to do everything, but without giving them access to modify policies, manage users, or assign roles. However, when using default roles provided by KSC, some permissions are either too broad or unchangeable. Steps to Create the Custom Role: Open Kaspersky Security Center. Go to Administration Server Properties → Users Roles. Click “Add” to create a new role. Enter a role name (e.g., Rule for Hospitals). In the Rights tab: Allow the necessary permissions such as: View reports Run tasks Monitor devices Do not grant permissions related to: Policy creation Policy editing Policy assignment Click OK to save the role. Assign the Role: Go to Security → Users. Select the user or group who needs restricted access. Assign the newly created role (Rule for Hospitals) to them. Result: The user can perform routine operations like monitoring, Running tasks and Reporting. The user cannot: Modify policies Manage or assign users and roles Ensures security, compliance, and accountability across the KSC environment.

For any types of issues with tasks managed by KSC, we require export of task execution history in .txt file. Task execution history is a sequence of events generated by client computer during task execution. Step-by-step guide To export task execution history, follow these steps: Open task results window. In the upper part of the task results window, select problem computer. Right-click some event in the lower part of the task results window, where task execution history for selected host displayed. In context menu, choose Export… option. Events export Wizard will start. Click "Browse" button, select file destination and file name. Save events to .txt file. Make sure option Export selected events only NOT enabled. Click “Next” button. Select option “Export as tab-delimited Unicode text”. Click “Next” button and complete the wizard.

This article is about Kaspersky Security Center for Windows (KSC for Windows) Step-by-step guide Make sure that System Management license is installed, otherwise KSC events won't be exported to SIEM. For more information please refer to SIEM integration: the most frequent error. Specify Splunk Server address and port; Login into Splunk Management console; Press Settings → Configure data inputs; In the opened Add Data window - select TCP; - Specify Port you are planning to use. And a Source (KSC server address or DNS-name). Configure Source type: choose Select and pick syslog from drop down menu. Configure Host: set IP for Method Check the settings on a result screen; Open Splunk home page and press Search & Reporting; Make sure that KSC event were indexed by Splunk correctly as expected; Right now you are able to see raw KSC events.

This article is about Kaspersky Security Center for Windows (KSC for Windows) Problem You set up integration with SIEM but no events come up on SIEM side. In some cases there is no incoming traffic to SIEM from KSC server. Solution In vast majority of cases the root cause can be located in KSC server trace Trace example #1 25.01.2017 09:56:56.855 00001320.0000015C L1 KLSPLG: There is no key for SystemManagement. Trace example #2 24.10.2017 13:27:06.071 00001C78.00001464 L1 KLERR: #1, Error was caught in KLSPLG::EventsSupplierToSiem::Build, .\splg\events_supplier_to_siem.cpp@224. Error params: (1571/0x0 ("Functionality in limited mode. Area: System Management."), "KLSRV", .\license_policy\license_policy_utils.cpp@151) Error loc: 'This operation requires a license for the feature Systems Management.'. If you can find such a line, make sure that Systems management license is installed on KSC. If the issue reproduces with SM license installed do the following: Enable admin server tracing Click 'Export archive' button Wait 15 minutes Provide Customer Support (https://companyaccount.kaspersky.com/) with the traces, GSI file (https://support.kaspersky.com/common/diagnostics/3632 - do not forget to switch on the event logs collection), and the detailed problem description.

KSC installer generates default passwords for service accounts (automatically created to run KSC service), KIPxeUser and KIScSvc. Those passwords have 16 characters length, characters are taken randomly so that the password contain 3 out of 4 of the following groups of characters: Lowercase characters (a – z) Uppercase characters (A – Z) Numbers (0-9) Symbols (~ ! @ # $ % ^ & * - _ + = [ ] { } | \ : ' , . ? / ` ~ " < > ( ) Also the password cannot contain a dot character '.' immediately preceding the '@' symbol.

In some cases klakaut traces should be collected for diagnostics. Step-by-step guide To do so: Import klakaut-on_x*.reg file. Restart klakaut service. net stop klakaut net start klakaut Enable another trace if required. Reproduce the issue. Import klakaut-off_x*.reg file. Trace file $klakaut-klakaut.log will be placed in C:\Windows\Temp. Make sure to use the correct reg file, depending on OS architecture x86 or x64.

To troubleshoot SNMP functionality in KSC specific traces should be collected. Step-by-step guide To collect traces: Download archive Use trace-5-snmpagt.reg to start trace Reproduce the issue Use trace-off-snmpagt.reg to stop trace Archive files and send to Kaspersky Support.

KES Isolation (11.7 and upper) FindHost Find Host with previous method and copy value "KLHST_WKS_HOSTNAME" For example: "KLHST_WKS_DN":"KEDRO-1","KLHST_WKS_HOSTNAME":"a20da5de-49e5-469a-92ea-41b5adb74ea4" SrvView Find srvview data by filter string (SrvView::ResetIterator) "wstrViewName" - check List of supported srvviews. "vecFieldsToReturn" - check https://support.kaspersky.com/help/KSC/13.1/KSCAPI/a00307.html SrvView::ResetIterator POST /api/v1.0/SrvView.ResetIterator HTTP/1.1 Host: localhost:13299 X-KSC-Session: nXo75DRoFMRjNp2jwByKlfg== Content-Type: application/json Content-Length: 614 { "wstrViewName": "HostTasksSrvView", "vecFieldsToReturn": [ "nState", "strTask", "TASK_NAME", "txtDisplayName", "TASKID_PRODUCT_NAME", "TASKID_PRODUCT_VERSION", "bCannotBeDeleted", "bSystem" ], "vecFieldsToOrder": [ { "type": "params", "value": { "Name": "TASK_NAME", "Asc": "true" } } ], "lifetimeSec": 100, "pParams": { "strHostId": "a20da5de-49e5-469a-92ea-41b5adb74ea4" }, "wstrFilter": "" } Response ID Response {"wstrIteratorId":"67D74142AE0FA1A3D05CD696B957902B"} GetRecordRange from Response data (SrvView.GetRecordRange) SrvView.GetRecordRange curl -L -X POST "https://127.0.0.1:13299/api/v1.0/SrvView.GetRecordRange" -H "X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg==" -H "Content-Type: application/json" --data-raw "{ \"wstrIteratorId\":\"67D74142AE0FA1A3D05CD696B957902B\", \"nStart\": 0, \"nEnd\": 100 }" Copy value "strTask" for Task "xdr_networkisolation_start" and "xdr_networkisolation_stop" For example: Isolation ON => "TASK_NAME":"xdr_networkisolation_start" .... "strTask":"_LOCAL_2212c5ce-c23d-4c55-8bca-656221d5f056" Isolation OFF => "TASK_NAME":"xdr_networkisolation_stop .... "strTask":"_LOCAL_f0395954-c011-445c-b2e3-0a1074a2cf8d" Isolation ON GetHostTasks Return server specific identity to acquire and manage host tasks. (HostGroup::GetHostTasks) HostGroup.GetHostTasks POST /api/v1.0/HostGroup.GetHostTasks HTTP/1.1 Host: localhost:13299 X-KSC-Session: nXo75DRoFMRjNp2jwByKlfg== Content-Type: application/json Content-Length: 58 { "strHostName":"a20da5de-49e5-469a-92ea-41b5adb74ea4" } Response: Response {"PxgRetVal":"8122017D5C4081753E8FDE94244DC1AF"} HostTasks GetTaskData Acquire task settings. (HostTasks::GetTaskData) strSrvObjId - server object ID that got from HostGroup.GetHostTasks strTask - storage identifier of the task (such as returned by HostTasks.AddTask) HostTasks::GetTaskData POST /api/v1.0/HostTasks.GetTaskData HTTP/1.1 Host: localhost:13299 X-KSC-Session: nXo75DRoFMRjNp2jwByKlfg== Content-Type: application/json Content-Length: 112 { "strTask":"_LOCAL_2212c5ce-c23d-4c55-8bca-656221d5f056", "strSrvObjId":"8122017D5C4081753E8FDE94244DC1AF" } Response: Response {"PxgRetVal":{"EVENT_TYPE":"PRTS_EVENT_NONE","FILTER_EVENTS_COMPONENT_NAME":"","FILTER_EVENTS_INSTANCE_ID":"","FILTER_EVENTS_PRODUCT_NAME":"","FILTER_EVENTS_VERSION":"","TASKID_COMPONENT_NAME":"Connector","TASKID_INSTANCE_ID":"","TASKID_PRODUCT_NAME":"KES","TASKID_VERSION":"11.0.0.0","TASKSCH_FIRST_EXECUTION_TIME":{"type":"datetime","value":"1970-01-01T00:00:00Z"},"TASKSCH_FIRST_EXECUTION_TIME_SEC":0,"TASKSCH_LIFETIME":{"type":"datetime","value":""},"TASKSCH_MS_PERIOD":0,"TASKSCH_RUN_MISSED_FLAG":false,"TASKSCH_TYPE":0,"TASK_ADDITIONAL_PARAMS":{"type":"params","value":{"CompatibilityInfo":{"type":"params","value":{"MinimalPluginVersion":"11.7.0.0"}},"PRTS_TASK_EXT_SHEDULE_FLAGS":0,"exclusionRules":[{"type":"params","value":{"applications":{"type":"params","value":{"enabled":false,"paths":[]}},"dataSource":1,"localPorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":53,"start":53}}]}},"name":"DNS","protocol":{"type":"params","value":{"enabled":true,"id":6}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":false,"portRange":[]}}}},{"type":"params","value":{"applications":{"type":"params","value":{"enabled":false,"paths":[]}},"dataSource":1,"localPorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":53,"start":53}}]}},"name":"DNS","protocol":{"type":"params","value":{"enabled":true,"id":17}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":false,"portRange":[]}}}},{"type":"params","value":{"applications":{"type":"params","value":{"enabled":true,"paths":["%systemroot%\\system32\\dns.exe"]}},"dataSource":1,"localPorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":65535,"start":49152}}]}},"name":"Large numbered TCP ports, randomly assigned by the RPC service","protocol":{"type":"params","value":{"enabled":true,"id":6}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":false,"portRange":[]}}}},{"type":"params","value":{"applications":{"type":"params","value":{"enabled":true,"paths":["%systemroot%\\system32\\svchost.exe"]}},"dataSource":1,"localPorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":135,"start":135}}]}},"name":"RPC Endpoint Mapper","protocol":{"type":"params","value":{"enabled":true,"id":6}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":false,"portRange":[]}}}},{"type":"params","value":{"applications":{"type":"params","value":{"enabled":false,"paths":[]}},"dataSource":0,"localPorts":{"type":"params","value":{"enabled":false,"portRange":[]}},"name":"DNS client","protocol":{"type":"params","value":{"enabled":true,"id":6}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":53,"start":53}}]}}}},{"type":"params","value":{"applications":{"type":"params","value":{"enabled":false,"paths":[]}},"dataSource":0,"localPorts":{"type":"params","value":{"enabled":false,"portRange":[]}},"name":"DNS client","protocol":{"type":"params","value":{"enabled":true,"id":17}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":53,"start":53}}]}}}},{"type":"params","value":{"applications":{"type":"params","value":{"enabled":false,"paths":[]}},"dataSource":2,"localPorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":68,"start":68}}]}},"name":"DHCP server","protocol":{"type":"params","value":{"enabled":true,"id":17}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":67,"start":67}}]}}}},{"type":"params","value":{"applications":{"type":"params","value":{"enabled":false,"paths":[]}},"dataSource":2,"localPorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":67,"start":67}}]}},"name":"DHCP client","protocol":{"type":"params","value":{"enabled":true,"id":17}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":68,"start":68}}]}}}},{"type":"params","value":{"applications":{"type":"params","value":{"enabled":false,"paths":[]}},"dataSource":1,"localPorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":2535,"start":2535}}]}},"name":"MADCAP","protocol":{"type":"params","value":{"enabled":true,"id":17}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":false,"portRange":[]}}}},{"type":"params","value":{"applications":{"type":"params","value":{"enabled":false,"paths":[]}},"dataSource":1,"localPorts":{"type":"params","value":{"enabled":true,"portRange":[{"type":"params","value":{"end":647,"start":647}}]}},"name":"DHCP failover","protocol":{"type":"params","value":{"enabled":true,"id":6}},"remoteAddress":{"type":"params","value":{"enabled":false,"ip":{"type":"params","value":{"octets":{"type":"binary","value":""},"zoneIPv6":""}}}},"remotePorts":{"type":"params","value":{"enabled":false,"portRange":[]}}}}],"isolationDuration":3600000,"klprts-TaskStorageId":"_LOCAL_2d076fbe-7e60-4a99-9177-173076a5a2b1","ksc_settings_compatibility::TaskUniqueId":"89621cce@xdr_networkisolation_start@NetworkIsolationStart","responseId":{"type":"long","value":7998665773575485050}}},"TASK_CLASS_ID":0,"TASK_DEL_AFTER_RUN_FLAG":false,"TASK_INFO_PARAMS":{"type":"params","value":{"DisplayName":"Network isolation","klprts-TaskCannotBeDeleted":true,"klprts-TaskScheduleSubtype":256}},"TASK_LAST_EXEC_TIME":{"type":"datetime","value":"1970-01-01T00:00:00Z"},"TASK_LAST_EXEC_TIME_SEC":0,"TASK_MAX_EXEC_TIME":0,"TASK_NAME":"xdr_networkisolation_start","TASK_PREP_START":0,"TASK_PRIORITY":1,"TASK_START_DELTA":0,"TASK_UNIQUE_ID":"_LOCAL_2212c5ce-c23d-4c55-8bca-656221d5f056"}} Copy some of value from response and change parameters on next request with Network isolation exclusions RDP protocol (for example): exclusionRules { "type": "params", "value": { "applications": { "type": "params", "value": { "enabled": true, "paths": [] } }, "dataSource": 2, #inbound and outbound "localPorts": { "type": "params", "value": { "enabled": true, "portRange": [ { "type": "params", "value": { "end": 3389, #port "start": 3389 #port } } ] } }, "name": "RDP ANY", #name "protocol": { "type": "params", "value": { "enabled": true, "id": 0 #TCP and UDP } }, "remoteAddress": { "type": "params", "value": { "enabled": false, "ip": { "type": "params", "value": { "octets": { "type": "binary", "value": "" }, "zoneIPv6": "" } } } }, "remotePorts": { "type": "params", "value": { "enabled": false, "portRange": [] } } } } UpdateTask Modify task settings. ( HostTasks::UpdateTask) HostTasks::UpdateTask Collapse source POST /api/v1.0/HostTasks.UpdateTask HTTP/1.1 Host: localhost:13299 X-KSC-Session: n18Zfc+1hPeedqD07uM96/A== Content-Type: application/json Content-Length: 32796 { "strTask": "_LOCAL_2212c5ce-c23d-4c55-8bca-656221d5f056", "strSrvObjId": "46A9BEBC82C3FB1121050247A0697ECC", "pData": { "TASKID_COMPONENT_NAME": "Connector", "TASKID_PRODUCT_NAME": "KES", "TASKID_VERSION": "11.0.0.0", "TASKSCH_TYPE": 5, "TASK_ADDITIONAL_PARAMS": { "type": "params", "value": { "CompatibilityInfo": { "type": "params", "value": { "MinimalPluginVersion": "11.8.0.0" } }, "PRTS_TASK_EXT_SHEDULE_FLAGS": 0, "exclusionRules": [ { "type": "params", "value": { "applications": { "type": "params", "value": { "enabled": true, "paths": [] } }, "dataSource": 2, "localPorts": { "type": "params", "value": { "enabled": true, "portRange": [ { "type": "params", "value": { "end": 3389, "start": 3389 } } ] } }, "name": "RDP ANY", "protocol": { "type": "params", "value": { "enabled": true, "id": 0 } }, "remoteAddress": { "type": "params", "value": { "enabled": false, "ip": { "type": "params", "value": { "octets": { "type": "binary", "value": "" }, "zoneIPv6": "" } } } }, "remotePorts": { "type": "params", "value": { "enabled": false, "portRange": [] } } } } ], "isolationDuration":28800000, "klprts-TaskStorageId":"_LOCAL_2212c5ce-c23d-4c55-8bca-656221d5f056", "ksc_settings_compatibility::TaskUniqueId":"89621cce@xdr_networkisolation_start@NetworkIsolationStart", "responseId":{"type":"long","value":4294967295}}}, "TASK_CLASS_ID":0, "TASK_DEL_AFTER_RUN_FLAG":false, "TASK_INFO_PARAMS": {"type":"params","value":{ "DisplayName":"Network isolation", "klprts-TaskCannotBeDeleted":true, "klprts-TaskScheduleSubtype":512} }, "TASK_NAME":"xdr_networkisolation_start", "TASK_PREP_START":0, "TASK_PRIORITY":1, "TASK_START_DELTA":0, "TASK_UNIQUE_ID":"_LOCAL_2212c5ce-c23d-4c55-8bca-656221d5f056" } } Response Response { } Host isolated successful with allowed RDP session. Isolation OFF For example: Isolation OFF => "TASK_NAME":"xdr_networkisolation_stop .... "strTask":"_LOCAL_f0395954-c011-445c-b2e3-0a1074a2cf8d" GetHostTasks Return server specific identity to acquire and manage host tasks. (HostGroup::GetHostTasks) HostGroup.GetHostTasks POST /api/v1.0/HostGroup.GetHostTasks HTTP/1.1 Host: localhost:13299 X-KSC-Session: nXo75DRoFMRjNp2jwByKlfg== Content-Type: application/json Content-Length: 58 { "strHostName":"a20da5de-49e5-469a-92ea-41b5adb74ea4" } Response: Response {"PxgRetVal":"8122017D5C4081753E8FDE94244DC1AF"} HostTasks GetTaskData Acquire task settings. (HostTasks::GetTaskData) strSrvObjId - server object ID that got from HostGroup.GetHostTasks strTask - storage identifier of the task (such as returned by HostTasks.AddTask) HostTasks::GetTaskData POST /api/v1.0/HostTasks.GetTaskData HTTP/1.1 Host: localhost:13299 X-KSC-Session: nXo75DRoFMRjNp2jwByKlfg== Content-Type: application/json Content-Length: 112 { "strTask":"_LOCAL_f0395954-c011-445c-b2e3-0a1074a2cf8d", "strSrvObjId":"8122017D5C4081753E8FDE94244DC1AF" } Response: Response {"PxgRetVal":{"EVENT_TYPE":"PRTS_EVENT_NONE","FILTER_EVENTS_COMPONENT_NAME":"","FILTER_EVENTS_INSTANCE_ID":"","FILTER_EVENTS_PRODUCT_NAME":"","FILTER_EVENTS_VERSION":"","TASKID_COMPONENT_NAME":"Connector","TASKID_INSTANCE_ID":"","TASKID_PRODUCT_NAME":"KES","TASKID_VERSION":"11.0.0.0","TASKSCH_FIRST_EXECUTION_TIME":{"type":"datetime","value":"1970-01-01T00:00:00Z"},"TASKSCH_FIRST_EXECUTION_TIME_SEC":0,"TASKSCH_LIFETIME":{"type":"datetime","value":""},"TASKSCH_MS_PERIOD":0,"TASKSCH_RUN_MISSED_FLAG":false,"TASKSCH_TYPE":0,"TASK_ADDITIONAL_PARAMS":{"type":"params","value":{"CompatibilityInfo":{"type":"params","value":{"MinimalPluginVersion":"11.8.0.0"}},"PRTS_TASK_EXT_SHEDULE_FLAGS":0,"klprts-TaskStorageId":"_LOCAL_f0395954-c011-445c-b2e3-0a1074a2cf8d","ksc_settings_compatibility::TaskUniqueId":"59e0cc70@xdr_networkisolation_stop@NetworkIsolationStop","responseId":{"type":"long","value":4294967295}}},"TASK_CLASS_ID":0,"TASK_DEL_AFTER_RUN_FLAG":false,"TASK_INFO_PARAMS":{"type":"params","value":{"DisplayName":"Termination of network isolation","klprts-TaskCannotBeDeleted":true,"klprts-TaskScheduleSubtype":256}},"TASK_LAST_EXEC_TIME":{"type":"datetime","value":"1970-01-01T00:00:00Z"},"TASK_LAST_EXEC_TIME_SEC":0,"TASK_MAX_EXEC_TIME":0,"TASK_NAME":"xdr_networkisolation_stop","TASK_PREP_START":0,"TASK_PRIORITY":1,"TASK_START_DELTA":0,"TASK_UNIQUE_ID":"_LOCAL_f0395954-c011-445c-b2e3-0a1074a2cf8d"}} Copy some value from response and change parameters on the next request with Network isolation exclusions. UpdateTask Modify task settings. ( HostTasks::UpdateTask) POST /api/v1.0/HostTasks.UpdateTask HTTP/1.1 Host: localhost:13299 X-KSC-Session: n18Zfc+1hPeedqD07uM96/A== Content-Type: application/json Content-Length: 32796 { "strTask": "_LOCAL_f0395954-c011-445c-b2e3-0a1074a2cf8d", "strSrvObjId": "A06A16B837CC0E73BD3BCCDAA98A3129", "pData": { "TASKID_COMPONENT_NAME": "Connector", "TASKID_PRODUCT_NAME": "KES", "TASKID_VERSION": "11.0.0.0", "TASKSCH_MS_PERIOD": 0, "TASKSCH_TYPE": 5, #change "TASK_ADDITIONAL_PARAMS": { "type": "params", "value": { "CompatibilityInfo": { "type": "params", "value": { "MinimalPluginVersion": "11.8.0.0" } }, "PRTS_TASK_EXT_SHEDULE_FLAGS": 0, "klprts-TaskStorageId": "_LOCAL_f0395954-c011-445c-b2e3-0a1074a2cf8d", "ksc_settings_compatibility::TaskUniqueId": "59e0cc70@xdr_networkisolation_stop@NetworkIsolationStop", "responseId": { "type": "long", "value": 4294967295 } } }, "TASK_CLASS_ID": 0, "TASK_DEL_AFTER_RUN_FLAG": false, "TASK_INFO_PARAMS": { "type": "params", "value": { "DisplayName": "Termination of network isolation", "klprts-TaskCannotBeDeleted": true, "klprts-TaskScheduleSubtype": 512 #change } }, "TASK_NAME": "xdr_networkisolation_stop", "TASK_PREP_START": 0, "TASK_PRIORITY": 1, "TASK_START_DELTA": 0, "TASK_UNIQUE_ID": "_LOCAL_f0395954-c011-445c-b2e3-0a1074a2cf8d" } } Response Response { } Host unblocked successfully. End Session to KSC (Session::EndSession) Session::EndSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.EndSession' --header 'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A==' #PxgRetVal from Session.StartSession

Description and cautions The article is giving some use cases examples of KSC API calls to ease one's start using the API. In that KB we are looking at host isolation with KES/KEA scenario. For the Windows version of cURL, you need to specify that the arguments need to be escaped with "\", otherwise there will be an error. For example: 'Authorization: KSCBasic user=\"YXBpLXVzZXI=\", pass=\"cGFzc3dvcmQ=\", internal=\"1\"' Details Prerequisites internal user: api-user Example KSC address - 127.0.0.1 (the address can also be external) API Port - 13299 (default) User: api-user (intrental KSC user), base64: YXBpLXVzZXI= Password: password, base64: cGFzc3dvcmQ= Credentials: User Password api-user password Base64: YXBpLXVzZXI= cGFzc3dvcmQ= Authentication, type: Authenticated session, other types: KSC Open API description Requests are in cUrl and http formats, as an alternative it is also possible to use Python library (KlAkOAPI Python package) Login Start connection to KSC (Session::StartSession) Session::StartSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.StartSession' \ --header 'Authorization: KSCBasic user="YXBpLXVzZXI=", pass="cGFzc3dvcmQ=", internal="1"' Username and password should be encoded to base64 format as part of a secure HTTPS session. For example, https://www.base64encode.org/ can be used for encoding. Response { "PxgRetVal": "nsPbUpP1oAVZlM1lODEbg8A==" } Use this token in request header Find Host Find host by filter string (HostGroup::FindHosts) Filter string, contains a condition over host attributes, see also Search filter syntax. We use "KLHST_WKS_DN" - Host display name HostGroup::FindHosts POST /api/v1.0/HostGroup.FindHosts HTTP/1.1 Host: localhost:13299 X-KSC-Session: nH4iKWCdxuBJWO5U4ATKSew== Content-Type: application/json Content-Length: 170 { "vecFieldsToReturn": [ "KLHST_WKS_HOSTNAME", "KLHST_WKS_DN" ], "lMaxLifeTime": 1200, "wstrFilter": "(KLHST_WKS_DN=\"WIN10-*\")" } Response ID Response {"strAccessor":"ppYeO5rmkvKcMUm8vQzOK2","PxgRetVal":18} Copy Accessor for next request (ChunkAccessor::GetItemsChunk) ChunkAccessor::GetItemsChunk curl -L -X POST "https://127.0.0.1:13299/api/v1.0/ChunkAccessor.GetItemsChunk" -H "X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg==" -H "Content-Type: application/json" --data-raw "{ \"strAccessor\":\"fb07haDqXIKZbQzyDsMwx1\", \"nStart\": 0, \"nCount\": 100 }" Response info about host: Response { "pChunk": { "KLCSP_ITERATOR_ARRAY": [ { "type": "params", "value": { "KLHST_WKS_DN": "WIN10-OPTIMUM-1", "KLHST_WKS_HOSTNAME": "c0816918-fbc5-4fbc-8fed-6f245756120e" } }, { "type": "params", "value": { "KLHST_WKS_DN": "WIN10-KES-11-OLD", "KLHST_WKS_HOSTNAME": "ab365e11-a1c7-492b-a981-e84402b33a8f" } } ] }, ........ "PxgRetVal": 18 } Copy value "KLHST_WKS_HOSTNAME" for next request KEA Isolation HostGroup.GetHostInfo Acquire specified host attributes. (HostGroup::GetHostInfo) strHostName (wstring) host name, a unique server-generated string (see KLHST_WKS_HOSTNAME attribute). It is NOT the same as computer network name (DNS-, FQDN-, NetBIOS-name) pFields2Return (array) array of names of host attributes to return. See List of host attributes for attribute names HostGroup.GetHostInfo POST /api/v1.0/HostGroup.GetHostInfo HTTP/1.1 Host: localhost:13299 X-KSC-Session: nH4iKWCdxuBJWO5U4ATKSew== Content-Type: application/json Content-Length: 185 { "strHostName":"ab365e11-a1c7-492b-a981-e84402b33a8f", "pFields2Return": [ "KLHST_WKS_HOSTNAME", "KLHST_WKS_DN", "KLHST_APP_INFO" ] } HostGroup.SS_GetNames Get section names from host settings storage. (HostGroup::SS_GetNames) Parameters values should be taken from the previous response. HostGroup::SS_GetNames POST /api/v1.0/HostGroup.SS_GetNames HTTP/1.1 Host: localhost:13299 X-KSC-Session: nqH6Qma75t/wBcQm8vlyqvQ== Content-Type: application/json Content-Length: 148 { "strHostName":"ab365e11-a1c7-492b-a981-e84402b33a8f", "strType":"SS_SETTINGS", "strProduct":"SOYUZ", "strVersion":"4.0.0.0" } Response: Response { "PxgRetVal": [ ".KLNAG_SECTION_REBOOT_REQUEST", "85", "AccountLogonSettings", "ApplicationSettings", "AutoStartEntriesNotifySettings", "ConnectionSettings", "CreateProcessSettings", "FileChangeNotificationSettsEdr", "KLEVP_NF_SECTION", "KsnServiceSettings", "LoadImageSettingsEdr", "MaintenanceSettings", "MdrServiceSettings", "MessageBrokerSettings", "NetworkConnectionSettingsEdr", "NetworkIsolationProfilesSetts", "NetworkIsolationSettings", #copy this field setting "PasswordSettings", "PreventionSettings", "ProductPermissionSettings", "QuarantineSettings", "SandboxSettings", "SelfDefenceSettings", "UserModeApiMonitorSrvSettings", "WMIActivitySettings", "WindowsEventLogSettingsEdr", "WindowsRegistrySettings" ] } With NWC web console KSC create local network exteption for VPN: 1) Open host properties → Applications → KEA 2) Open tab APP Settings → Network Isolation → Isolation on detection 3) Add rule for RDP → click "OK" → click "Save" HostGroup.SS_Read Read data from host settings storage. (HostGroup::SS_Read) Parameters values should be taken from two previous responses HostGroup::SS_Read POST /api/v1.0/HostGroup.SS_Read HTTP/1.1 Host: localhost:13299 X-KSC-Session: nqc+0P0UI+Wzuu+FREB74yQ== Content-Type: application/json Content-Length: 194 { "strHostName":"ab365e11-a1c7-492b-a981-e84402b33a8f", "strType":"SS_SETTINGS", "strProduct":"SOYUZ", "strVersion":"4.0.0.0", "strSection":"NetworkIsolationSettings" } Response info about Network Isolation with RDP rule exception: Response { "PxgRetVal": { "BaseSettings": { "type": "params", "value": { "Revision": { "type": "long", "value": 0 }, "__VersionInfo": [ 1, 0 ] } }, "Enable": false, "Exclusions": [ { "type": "params", "value": { "Description": "Custom (user-defined)", "Name": "Custom (user-defined)", "Rules": [ { "type": "params", "value": { "AppProtocolName": "RDP", "Applications": [], "Direction": 3, "Enable": true, "LocalAddress": "", "LocalPort": { "type": "params", "value": { "MaxPort": 3389, "MinPort": 3389, "__VersionInfo": [ 1, 0 ] } }, "Protocol": 0, "RemoteAddress": "", "RemotePort": { "type": "params", "value": { "MaxPort": 0, "MinPort": 0, "__VersionInfo": [ 1, 0 ] } }, "UseApplications": false, "UseLocalAddress": false, "UseLocalPort": true, "UseProtocol": false, "UseRemoteAddress": false, "UseRemotePort": false, "__VersionInfo": [ 1, 1 ] } } ], "__VersionInfo": [ 1, 0 ] } } ], "IsolationTimeout": 1800, "NotifyUser": true, "UseIsolationTimeout": true, "__VersionInfo": [ 1, 2 ] } } Copy all response for next request. HostGroup.SS_Write Write data to host settings storage for isolation workstation with RDP rule. (HostGroup::SS_Write) 1) Use previous value parameters 2) for nOption use 7 7 - "Clear", replaces existing section contents with pData, i.e. existing section contents will deleted and variables from pData will be written to the section. 3) for pSettings past previous response and change "Enable": true HostGroup::SS_Write POST /api/v1.0/HostGroup.SS_Write HTTP/1.1 Host: localhost:13299 X-KSC-Session: nbpsiiOAAxiDWfMSVkgciWQ== Content-Type: application/json Content-Length: 1066 { "strHostName":"bdcae680-eeaa-4279-a822-92a0d3e01dfb", "strType":"SS_SETTINGS", "strProduct":"SOYUZ", "strVersion":"4.0.0.0", "strSection":"NetworkIsolationSettings", "nOption":7, "pSettings":{ "BaseSettings": { "type": "params", "value": { "Revision": { "type": "long", "value": 0 }, "__VersionInfo": [ 1, 0 ] } }, "Enable": true, #Isolation ON "Exclusions": [ { "type": "params", "value": { "Description": "Custom (user-defined)", "Name": "Custom (user-defined)", "Rules": [ { "type": "params", "value": { "AppProtocolName": "RDP", #custom rule for RDP "Applications": [], "Direction": 3, "Enable": true, "LocalAddress": "", "LocalPort": { "type": "params", "value": { "MaxPort": 3389, "MinPort": 3389, "__VersionInfo": [ 1, 0 ] } }, "Protocol": 0, "RemoteAddress": "", "RemotePort": { "type": "params", "value": { "MaxPort": 0, "MinPort": 0, "__VersionInfo": [ 1, 0 ] } }, "UseApplications": false, "UseLocalAddress": false, "UseLocalPort": true, "UseProtocol": false, "UseRemoteAddress": false, "UseRemotePort": false, "__VersionInfo": [ 1, 1 ] } } ], "__VersionInfo": [ 1, 0 ] } } ], "IsolationTimeout": 1800, "NotifyUser": true, "UseIsolationTimeout": true, "__VersionInfo": [ 1, 2 ] } } Response Response { } Host isolated successfully. For off isolation you must change for pSettings past previous response and change "Enable": false

This article is about Kaspersky Security Center for Windows (KSC for Windows) Problem: KSC certificate renewal or replacement is made incorrectly because the option to instantly replace the server certificate is used. As a result, managed devices loose the connection with KSC and klmover command or re-installation of klnagent is required to restore the connectivity. Cause: After the certificate is renewed with "-t C" option, network agents do not receive a new certificate and have no connection to the server. Solution: In order to avoid such issues, run the certificate renewal script using the "-t CR" option (CR — Replace the common reserve certificate for ports 13000 and 13291) and the "-f" option in the <dd.mm.yyyy> format where we indicate the date 3–4 weeks ahead the current one. The time we set aside for changing the certificate to a backup one will allow a new certificate to be distributed to all Kaspersky Network Agents (Nagent): -t <type> Type of certificate to be replaced. Possible values of the <type> parameter: C—Replace the common certificate for ports 13000 and 13291. CR—Replace the common reserve certificate for ports 13000 and 13291. M—Replace the certificate for mobile devices on port 13292. MR—Replace the mobile reserve certificate for port 13292. MCA—Mobile client CA for auto-generated user certificates. -f <time> Schedule for changing the certificate, using the format "DD-MM-YYYY hh:mm" (for ports 13000 and 13291). Use this parameter if you want to replace the common or reserve certificate before it expires. Specify the time when managed devices must synchronize with Administration Server on a new certificate. For example, consider the command "klsetsrvcert.exe -f "DD-MM-YYYY hh:mm" -t CR -g nb.loc". Since this command was used in October, a backup certificate would be created and distributed to all nagents within a month. Thus, the certificate should have been applied on November 1, 2022. Verification of reserve certificate on managed hosts Let's check if the backup certificate has applied to the host. To do this, using the klscflag utility, enter the command: klscflag.exe -ssvget -pv 1103/1.0.0.0 -s KLNAG_SECTION_CERTDATA -n KLNAG_SSL_SERVER_CERT_RESERVE -ss '|ss_type = \"SS_LOCAL_MACHINE\";' The certificate has been delivered. If the backup certificate is not yet delivered to the destination host, we will see the following result of this command: Verification of reserve certificate on secondary administration servers When the command to renew the certificate on primary server is issued, the activity is logged to C:\ProgramData\KasperskyLab\adminkit\logs\CertRenewSysLogName.syslog. Open it on primary server and check the recent entry containing "Server reserve certificate", for example: This certificate should be propagated automatically to all secondary servers within the remaining time, before the common certificate expires. In case there is at least one secondary KSC Server connected to the primary KSC, run the following sql query against the database used by each secondary server: ms sql query to be run on secondary KSC Server USE KAV; select imgMasterReservedCert ReserveCertificatefrom from aksrv_server_props; KAV is the name of database used by a secondary server. The script will display the identifier of primary KSC reserve certificate received by the secondary administration server - it should party match the number from syslog displayed above: In case there are secondary KSC Servers located in DMZ, KSC should be able to connect to them to download the certificate. If no info about secondary server's certificate is stored in the database of primary server, the automatic renewal of secondary server's certificate will not work properly. secondary server will be disconnected when the certificate expires and should be re-connected manually by KSC Administrator. In order to avoid such situation, use the following sql query to make sure all certificates of secondary server have been received by primary KSC successfully: Query to be run on primary KSC: select Hosts.strDisplayName as SecondaryServerName, cast(cast(child_servers.imgCertificate as varbinary(max)) as varchar(max)) as CurrentCertificate, cast(cast(child_servers.imgReserveCert as varbinary(max)) as varchar(max)) as ReserveCertificate from child_servers inner join Hosts on child_servers.nIdHost = Hosts.nId; Current certificate is expected to be not NULL. Otherwise, re-connect secondary server to the primary manually and make sure there is no connectivity issue. Example: Please be advised that automatic renewal of secondary server certificate is supported since KSC 14.0. Older versions are not supported. Known problem: Problem with Webconsole login - incorrect user or password - see article https://forum.kaspersky.com/blogs/entry/331-ksc-web-console-shows-an-error-after-upgrade-incorrect-user-or-password-ksc-for-windows/ Error - Failed to establish connection with the remote device: This error occurs because we are trying to execute 2 consecutive commands on the same line. The first command is "-t CR -g nb.loc" and the second is "-f '20-12-2023 00:00'". Since the administration server restarts after executing the first command, the second command waits for some timeout before executing. But since in some user configurations, restarting the service can take a long time, the second part is performed when the server has not started yet. Which leads to the above error. In order to fix this behavior, you need to run the commands separately, according to this scenario: Run .\klsetsrvcert.exe -t CR -g nb.loc Wait until the administration server service starts completely (you can check by connecting the console). Run .\klsetsrvcert.exe -f '20-12-2023 00:00'

The problem is in the certificate - it has a 1024 bit long key. While Web Console now works only with 2048 bit long keys. The customer needs to reissue KSC server certificate to 2048 key length. What to do - 1. Generate reserve KSC certificate - for example by using command - klsetsrvcert -t CR -g "dns_name" -o "RsaKeyLen:2048" where DNS name is DNS name of KSC 2. Wait several days - hosts will connect to KSC and receive reserve cert. The customer could check on client hosts that cert if received by the command - klscflag -ssvget -pv 1103/1.0.0.0 -s KLNAG_SECTION_CERTDATA -n KLNAG_SSL_SERVER_CERT_RESERVE -ss "|ss_type = \"SS_LOCAL_MACHINE\";" In results - if reserve cert is installed - there will be smthg like - +--- (PARAMS_T) +---KLNAG_SSL_SERVER_CERT_RESERVE = BINARY_T (size = 2944): 2D2D2D2D2D424547494E2043455254494649434154452D2D2D2D2D0A4D494945627A4343413165674177494241674955616E63416F503772716145594E44376265534D4D47396941716951774451594A4B6F5A496876634E4151454C0A42514177567A455A4D42634741315545417777516347786C61326868626D39324C6D46... If there is no reserve cert - there will be a message - FAILED - 1125 ('Parameter with name "KLNAG_SECTION_CERTDATA" not exist.') 3. Specify the date and time of next cert change by the command - klsetsrvcert -f "DD-MM-YYYY hh:mm" If you are sure that reserve cert if received already - you can specify the past date in this command - cert will be replaced right after that. Don't forget that if agent didn't receive reserve cert and cert is replaced already - agent will lost connection to KSC server. 4. Run WebConsole installer and specify new klserver cert there. Check the connection in WebConsole.

Issue An attempt to send POST request via KPSN API from a Windows client.: curl --cert C:\\Users\\user_A\\Desktop\\kpsn_api kpsn_api_crt.pem --key C:\\Users\\user_A\\Desktop\\kpsn_api kpsn_api_key.pem -k -X POST -d "{\\"action ": \\"check_url\\",\\"data ": {\\"urls ": [\\"website1.com "]}}" https://10.90.116.27:80/api/ Fails with the following error: curl: (58) schannel: Failed to import cert file C:\\Users\\user_A\\Desktop\\kpsn_api kpsn_api_crt.pem, last error is 0x80092002 There is no such issue when using curl on a Linux client. Cause The used version of curl.exe on Windows is not configured to work with OpenSSL. Solution Use other tools to send requests, e.g Insomnia or curl from Git for Windows.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem You change the account of the administration server service via the klsrvswch tool. Note that this is the only way to change the account, manual modification (for example, via services.msc) is not supported. Then, the you run the Install required updates and fix vulnerabilities task. As a result, the task is cancelled and updates are not installed. Diagnostics The following error can be found in $klserver-1093.log: 20.11.2023 10:26:16.683 00000ADC.000028C0 L4 KLSTD: Error 0x5 accessing the file 'C:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer\#WSUS#', m_dwWin32Access=0x80000000, m_dwWin32Creation=0x3, m_dwWin32Flags=0x8000000 20.11.2023 10:26:16.683 00000ADC.000028C0 L1 KLSTD: Error ERROR_ACCESS_DENIED (attempt 186 from 300) for the file 'C:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer\#WSUS#' When checking permissions of the file C:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer\#WSUS#, it lacks the new service account assigned to the kladminserver service: In this example, the Administration Server account is the old service account used to start the KSC service. Workaround Add the new KSC Service account or the KLAdmins group to the access control list of the #WSUS# file and grant it full access:

In NAgent 15, klmover was updated and now requires NAgent uninstallation password, if it is set in NAgent's policy. Right now the password can't be passed to klmover as an argument, but it can be supplied via echo: echo <password>|klmover -address <administration server ip> Because cmd doesn't parse quotes and spaces in echo properly, if klmover is started from cmd and the password contains characters requiring quotes, klmover should be run from powershell. Powerhell has a Start-Process command that allows to run a process as a different user, in this case it can be used in a batch script like this: cd "C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\" powershell -Command "Start-Process powershell '-Command echo <password>|.\klmover.exe -address <address>' -Verb RunAs" But if it is run as a scheduled task in a group policy, it would be better to set the task to run as a user with administrator privileges and set it to run with highest privileges. Previous NAgent klmover versions are not compatible with NAgent 15.

Scenario After the deployment of KSC in the environment, the Backup task fails with the following error using the KSC Backup task or klbackup utility (screenshot is below). All the permissions were correctly assigned on the shared folder, and ports were opened, but still the backup was failing. There were no blocking events in the Firewall traffic logs. Error -1963 ('Database connection is broken " 'Connection failure{08S01};' LastStataement='select type from sys.system_object where name = 'dsm_os_host_info';'" Root cause The issue was identified to be the IPS module of the Firewall (Fortinet/Paloalto) in the environment. When the backup task was initiated, the IPS module was blocking the SQL backup query with "SMB Injection/Attack" signatures. Solution Disable the IPS policy on the Firewall for KSC and MS SQL servers and the backup task will be completed successfully.

Problem Description, Symptoms & Impact The installation of the Network Agent isn't possible on a device because of the error System error 0x1F (A device attached to the system is not functioning.) Diagnostics In the MSI Log and Application Eventlog can be found the following line: (1192/0x0 ("System container 'LOC-PUB-6EEB50F8D2EB46029DB4CCB77E0DA651' is corrupt") Workaround & Solution The issue comes from a corrupt cryptostorage in the OS. It's not a KL related issue, although there is a possible solution to fix it. On the problem host launch cmd.exe with administrative privileges Run klcryptstgclean.exe: klcryptstgclean -tl 4 -tf $klcryptstgclean_trace.txt -l klcryptstgclean.log Try to install NAgent. If it doesn't help, perform actions from the Cryptostorage-1.docx file. If installation fails again, send to Kaspersky Support the following files: "$klcryptstgclean_trace.txt", "klcryptstgclean.log", new GSI with klnagent installation logs. It is not KSC and klnagent related issue. It is OS related issue. If workaround doesn't help, try sfc /scannow command, OS restore, OS reinstallation or contact MS support.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Product: Any KSC version Problem Description, Symptoms & Impact Network Agent local installation errors: "Setup Wizard cannot process the command line", "Setup wizard cannot process the internal error." Diagnostics Error can be found on the screenshots or in the installation log. Workaround & Solution Some leftover registry records should be deleted, but there are too many different cases to describe them all. Collect detailed information about the error, GSI (https://support.kaspersky.com/common/diagnostics/3632) with Windows Event Log and following registry hives export, and create a case in https://companyaccount.kaspersky.com for further investigation by Kaspersky Experts. Registry hives to export: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\ HKEY_CLASSES_ROOT\Installer\Products This article describes how to export registry keys: https://support.kaspersky.com/common/diagnostics/8576#block2 RCA Leftovers of previously installed Network Agent.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Product: KSC 11 and more recent versions Consider the following problematic scenario: You use a caching proxy server to download updates for the KSC Server, for example, Squid. KSC is configured to download updates via https (default config). $up2date-1103-eka.log analysis KL uses the HTTP public key pinning mechanism to verify update server authenticity; a certificate used for authentication is self-signed by KL. A certificate revocation list is also implemented. More information about the certification revocation process is available here: https://learn.microsoft.com/en-us/archive/blogs/ieinternals/understanding-certificate-revocation-checks https://technet.microsoft.com/en-us/library/ee619754(WS.10).aspx A recent update of CRL was performed at the end of July 2023. CRL is available on this link: http://crl.kaspersky.com/cdp/KasperskyLabPublicServicesRootCertificationAuthority.crl Old CLR was valid till 23.7.2023 and is expired now. When KSC requests the CRL file, the proxy server sends back to KSC the cached version of it and the CRL verification fails. The details can be found in the $up2date-1103-eka.log to identify the issue precisely. 04:01:48.817 0x326c INF httpcli cert_revoke 0x70e2908 Got error: 0xa0010019 (http_client::eCrlHasExpired) 04:01:48.817 0x326c INF httpcli Req 0x70e2908 <- HttpsErrorOccurs: Revocation Error [0xa0010019 (http_client::eCrlHasExpired) 04:01:48.892 0x1d0c INF updater core: ========= Downloading primary index result TLS error ========= Troubleshooting steps To solve the problem, an administrator of the proxy server should turn off caching of the http://crl.kaspersky.com/cdp/KasperskyLabPublicServicesRootCertificationAuthority.crl file. It is recommended to turn off caching for all files downloaded from public update servers using this mask: *.kaspersky.com *.kaspersky-labs.com An alternative workaround: Set a server flag for KSC using the following commands: klscflag.exe -fset -pv klserver -s Updater -n DisableKLHttps -t d -v 1 Also, set a server flag for Update Agents (Distribution Points) that get updates from the Internet, if any: klscflag.exe -fset -pv klnagent -s Updater -n DisableKLHttps -t d -v 1 Explicitly set an update task to use HTTP sources for URLs, for example, http://p00.upd.kaspersky.com. The full list of HTTP-enabled sources can be found in the <insecure_sites_list> parameter at http://dnl-05.geo.kaspersky.com/updates/upd/updcfg2.xml

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Product: KSC 11+ Applies also to the update utility version 4.1 and more recent. Consider the following problematic scenarios: You have installed KSWS on the KSC server and enabled Traffic Security component and Traffic Security uses MITM mechanism to analyze traffic. You use a 3rd party software or hardware appliance for traffic filtering and this appliance disrupts connections to HTTPS-enabled public update servers. It can be a hardware appliance like BlueCoat or F5, FortiGate SSL Deep Inspection, or a software proxy like Squid that uses ICAP to redirect traffic to another security application for scanning. KL uses HTTP public key pinning mechanism to verify update server authenticity; certificate used for authentication is self-signed by KL. Using any MITM-based solutions for SSL traffic inspection will lead to failures in establishing connection between KSC and a HTTPS-enabled KL update source. It happens because any MITM traffic inspection will forward a wrong certificate to KSC after inspection and KSC11 will break the connection. The following string can be found in up2date trace: self signed certificate in certificate chain The following trace files are required for accurate diagnostic: $up2date-1103.*, $up2date-1103-eka.* Please bear in mind that Kaspersky Support needs KSC traces mentioned above to be collected BEFORE you apply any of the workarounds listed in this post. Troubleshooting steps If you have KSWS blocking traffic, add Up2Date.exe process or the update source certificate to trusted in Traffic Security settings. If you use a 3rd party appliance to filter traffic, you can explicitly allow traffic signed by KL certificate. Otherwise you can use HTTP to download updates. There are two ways to make KSC use HTTP: Set a server flag on KSC using following commands: klscflag.exe -fset -pv klserver -s Updater -n DisableKLHttps -t d -v 1 and on Update Agents (Distribution Points) getting updates from the internet, if any: klscflag.exe -fset -pv klnagent -s Updater -n DisableKLHttps -t d -v 1 Explicitly set update task to use HTTP sources URLs, for example http://p00.upd.kaspersky.com. Full list of HTTP-enable sources can be found in <insecure_sites_list> parameter in http://dnl-05.geo.kaspersky.com/updates/upd/updcfg2.xml Download updates using update utility 4.0. More recent version of update utility uses https.

Description and cautions You may experience low time to live value set in ICMP network packets sent by klnagents. The following can be seen in wire shark traffic dump: Explanation: There are two modes of distribution point search: 0 - search of the nearest DP using a tool similar to traceroute. It generates a number of ICMP packets to find out the neatest route to DP - this is the default mode. 1 - selection of random DP without sending such amount of ICMP packets. This mode is configured on administration server computer via klcsflag utility and is enabled for all managed hosts. The following command should be started as administrator on KSC Server computer to switch to mode 1: klscflag.exe -fset -pv klserver -n SrvChooseUaMode -v 1 -t d Restart of kladminserver service is required to apply changes. The distribution point will be randomly selected among all DPs available.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Consider the following scenario: You have a large local area network 10.36.0.0/16. There is a managed device with the following IP config: IPv4 address: 10.36.35.10 and Subnet Mask: 255.255.255.0. You create a new subnet condition for klnagent connection profile: 10.36.0.0/16. Actual result: The connection profile is not applied to the managed device. The reason of this behavior is equality logic used by klnagent. It verifies if the condition matches by comparing the current value of the IP address and subnet mask of a managed device: IP address 10.36.35.10 is within the 10.36.0.0/16 network. However, subnet mask 255.255.255.0 is not equal to 255.255.0.0 specified in the condition. Solution: In order for the rule to work correctly, each 10.36.0.0/24 subnet (including 10.36.35.0/24) of the larger 10.36.0.0/16 network should be added as a condition:

The best practice is to back up your current Administration Server and then install the new version of Kaspersky Security Center. To do so, follow these steps: Back up the data of Kaspersky Security Center using one of the methods described below: Backup and Restore Wizard Backup task Check if you can install Kaspersky Security Center on your current server. For system requirements, see Online Help. Then export the list of currently installed plug-ins in the .csv format. Download the latest version of Kaspersky Security Center. Install Kaspersky Security Center. For instructions, see Online Help. If needed, you can restore the Administration Server data. For details, see Online Help. Important notes Make a note of the password configured during the backup process. Install Kaspersky Security Center on a new server if your current database server is not supported. Then restore the database data. Restoration works between database servers of the same type. If you use an SQL Server as a DBMS, you can migrate data to MySQL or MariaDB DBMS before the upgrade. For details, see Online Help. It is possible to restore data from the SQL Express database to the SQL Standard database, but the restoration of data from the SQL Standard database to the SQL Express database is supported with limitations. For further details, please check this Online Help page.

Description and cautions That article is describing KSC rel. 13.2 to rel. 14.x SW upgrade procedure. Prerequisites KSC 13.2 on MS Windows S/N Action Online-Help 1 Download the KSC 14 Version 2 Take the backup of KSC Administration Server 3 Take the backup of the KSC Database 4 Export Policies (NA, KES) and encryption keys 5 Run cmd as administrator -> On the active node, go to <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center -> klfoc -stopcluster --stp klfoc https://support.kaspersky.com/KSC/14/en-US/222447.htm 5.1 Check if all kaspersky security services were stopped on both nodes 6 Install KSC 14 on Primary Node Run the ksc_14_<build number>_full_<language>.exe file https://support.kaspersky.com/KSC/14/en-US/235429.htm 6.1 If the name of the load balancer matches with the name of the first node, then the upgrade process may "freeze" and will be finished after several of network connection timeouts. EventsProcessorProxy: #1281 Failed to establish connection with the remote device (location: 'http://kscnode01.demo.lab:13000'): connection has failed. 6.2 Perform the same steps on the passive node. Run the ksc_14_<build number>_full_<language>.exe file https://support.kaspersky.com/KSC/14/en-US/235429.htm 7 Run cmd as administrator -> On the active node, go to <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center. -> klfoc -startcluster --stp klfoc https://support.kaspersky.com/KSC/14/en-US/222447.htm 8 Connect to the administration server 9 Restart Passive Node or start klfoc service. 10 Make sure and verify that the machines and policies are available in the console

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. The article is giving a working configuration instructions for domain authentication by using NTLM and Kerberos protocols. NOTE: Domain authentication in OpenAPI over Kerberos protocol has the following restrictions: Administration Server address must be specified exactly as the address for which the Service Principal Name (SPN) is registered for domain account name. In the domain, you need to set the Service Principal Name (SPN) to publish the OpenAPI service on port 13299 for the machine with the Administration Server, the service of which is running under the name of the domain user <domain-user>. Kaspersky Security Center 13 Web Console user must be authenticated in Active Directory by using Kerberos protocol. Kerberos authentication should be allowed in web-browser. For details, refer to documentation of used web-browser. Details SPN - Service Principal Name Log in Domain Controller as Domain administrator. Open powershell as admin and run the following commands: Powershell setspn.exe -A HTTP/hostname-node-1.domain.local -u domain\user-ksc-service setspn.exe -A HTTP/hostname-node-2.domain.local -u domain\user-ksc-service Example setspn.exe -A HTTP/kscw-node-1.sales.lab -u sales\ksc setspn.exe -A HTTP/kscw-node-2.sales.lab -u sales\ksc setspn.exe -L -u sales\ksc #command for check spn records #Response Registered ServicePrincipalNames for CN=KSC Service,CN=Users,DC=sales,DC=lab: HTTP/kscw-node-1.sales.lab HTTP/kscw-node-2.sales.lab Enable Kerberos/NTLM authentication in web browsers Microsoft Edge \ Internet Explorer win + r => inetcpl.cpl Activate the Security tab. Select Local intranet and click Sites. In the opened dialog box click Advanced. Add the host name of Adaxes Web interface (e.g. host.company.com). Click Close and then click OK. Click Custom level. Navigate to Scripting and enable Active scripting. Navigate to User Authentication \ Logon. Select Automatic logon only in Intranet zone and click OK. Activate the Advanced tab. In the Settings list, navigate to the Security section. Select Enable Integrated Windows Authentication and click OK. Mozilla Firefox - https://developer.mozilla.org/en-US/docs/Mozilla/Integrated_authentication Launch Mozilla Firefox In the URL window, enter about:config and press Enter. In the filter text box, enter network.negotiate. Double-click the network.negotiate-auth.trusted-uris option and enter the host name of Adaxes Web interface (e.g. host.company.com). Repeat previous step for the network.negotiate-auth.delegation-uris option. Google Chrome Add the Software\Policies\Google\Chrome\AuthServerWhitelist key equal to *.<domain-name>.local to the registry Add the Software\Policies\Google\Chrome\AuthNegotiateDelegateWhitelist key equal to *.<domain-name>.local to the registry

Description and cautions The article shares working examples of using KSC API calls for one of the available scenarios - retrieving tasks results and statistics data for Dashboards and Reports. For the Windows version of cURL, you need to specify that the arguments need to be escaped with "\", otherwise there will be an error. For example: 'Authorization: KSCBasic user=\"YXBpLXVzZXI=\", pass=\"cGFzc3dvcmQ=\", internal=\"1\"' Details Prerequisites internal user: api-user Examples KSC address - 127.0.0.1 (the address can also be external) API Port - 13299 (default) User: api-user (intrental KSC user), base64: YXBpLXVzZXI= Password: password, base64: cGFzc3dvcmQ= Credentials: User Password api-user password Base64: YXBpLXVzZXI= cGFzc3dvcmQ= Authentication, type: Authenticated session, other types: KSC Open API description All requests are in cUrl format, as an alternative it is also possible to use Python library (KlAkOAPI Python package) Login Start connection to KSC (Session::StartSession) : Session::StartSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.StartSession' \ --header 'Authorization: KSCBasic user="YXBpLXVzZXI=", pass="cGFzc3dvcmQ=", internal="1"' Username and password should be encoded to base64 format as part of a secure HTTPS session. For expamle https://www.base64encode.org/ can be used for encoding. Response { "PxgRetVal": "nsPbUpP1oAVZlM1lODEbg8A==" } Policies changes alert \ Critical task status Audit events available Create event processing iterator with filter (EventProcessingFactory::CreateEventProcessing2) : EventProcessingFactory::CreateEventProcessing2) curl --location --request POST 'https://localhost:13299/api/v1.0/EventProcessingFactory.CreateEventProcessing2' --header 'X-KSC-Session: nT0T9KvkIKlgHGGaZ60j38Q==' --header 'Content-Type: application/json' --data-raw '{ "pFilter": { "EVP_INCL_GNRL_EVENTS": true, "EVP_INCL_TASK_STATES": false, "EVP_MAX_EVENTS_COUNT": 3000, "KLEVP_EVENT_GNRL_TYPES_ARRAY": [ "KLAUD_EV_SERVERCONNECT", "KLAUD_EV_OBJECTMODIFY", "KLAUD_EV_TASK_STATE_CHANGED", "KLAUD_EV_ADMGROUP_CHANGED", "KLAUD_EV_SERVERDISCONNECT", "KLAUD_EV_OBJECTPROPMODIFIED", "KLAUD_EV_OBJECTACLMODIFIED" ], "Name": "Audit events", "PredefinedID": "PREDEFINED_QUERY_ID_AUDIT_EVENTS"}, "vecFieldsToReturn": [ "event_db_id", "rise_time", "hostname", "hostdn", "event_type", "event_type_display_name", "GNRL_EA_DESCRIPTION", "group_id", "group_name", "product_name", "product_version", "product_displ_version", "GNRL_EA_SEVERITY", "GNRL_EA_PARAM_1", "GNRL_EA_PARAM_8", "task_display_name", "registration_time", "KLVSRV_DN", "KLEVP_EVENT_GROUP_TASK_ID", "GNRL_EA_PARAM_3" ], "vecFieldsToOrder": [], "lifetimeSec": 1000 }' Response ID Response {"strIteratorId":"A07B69A5347CF435DB66C0FA826371FF"} Get result from Response data ( ReportManager::GetStatisticsData) : EventProcessing::GetRecordRange curl --location --request POST 'https://localhost:13299/api/v1.0/EventProcessing.GetRecordRange' --header 'X-KSC-Session: nT0T9KvkIKlgHGGaZ60j38Q==' --header 'Content-Type: application/json' --data-raw '{ "strIteratorId":"A07B69A5347CF435DB66C0FA826371FF", "nStart": 0, "nEnd": 100 }' Response statistics dashboard: Response {"pParamsEvents":{"KLEVP_EVENT_RANGE_ARRAY" ..... Detection of threats: Create event processing iterator with filter (EventProcessingFactory::CreateEventProcessing2) : EventProcessingFactory::CreateEventProcessing2) curl --location --request POST 'https://localhost:13299/api/v1.0/EventProcessingFactory.CreateEventProcessing2' --header 'X-KSC-Session: n/euPaWcHBCk5Oz76XFLsSg==' --header 'Content-Type: application/json' --data-raw '{ "pFilter": { "KLEVP_EVENT_TYPE": "GNRL_EV_VIRUS_FOUND"}, "vecFieldsToReturn": [ "event_db_id", "rise_time", "hostname", "hostdn", "event_type", "event_type_display_name", "GNRL_EA_DESCRIPTION", "group_id", "group_name", "product_name", "product_version", "product_displ_version", "GNRL_EA_SEVERITY", "GNRL_EA_PARAM_1", "GNRL_EA_PARAM_8", "task_display_name", "registration_time", "KLVSRV_DN", "KLEVP_EVENT_GROUP_TASK_ID" ], "vecFieldsToOrder": [], "lifetimeSec": 1000 }' Response ID Response {"strIteratorId":"48E14F430EF0058BB039929318693123"} Get result from Response data ( ReportManager::GetStatisticsData) : EventProcessing::GetRecordRange curl --location --request POST 'https://localhost:13299/api/v1.0/EventProcessing.GetRecordRange' --header 'X-KSC-Session: n/euPaWcHBCk5Oz76XFLsSg==' --header 'Content-Type: application/json' --data-raw '{ "strIteratorId": "48E14F430EF0058BB039929318693123", "nStart": 0, "nEnd": 20 }' Response statistics dashboard: Response {"pParamsEvents":{"KLEVP_EVENT_RANGE_ARRAY" ..... Critical task status Status of Critical task: Backup of Administration Server data, Administration Server maintenance, Download updates to the Administration Server repository. for example - Backup of Administration Server data #strTask - open task in nmw-web-console - 148 (for example: https://localhost:8080/#/management/tasks/148) Acquire task execution history events (Tasks::GetTaskHistory) Tasks::GetTaskHistory curl --location --request POST 'https://localhost:13299/api/v1.0/Tasks.GetTaskHistory' --header 'X-KSC-Session: n/Uvfki+u+pAmb8jjMzVBzg==' --header 'Content-Type: application/json' --data-raw '{ "pSortFields": [{"type":"params","value":{"Name":"rise_time","Asc":false}}], "pFields2Return": [ "hostdn", "group_name", "task_new_state", "KLVSRV_DN", "rise_time", "GNRL_EA_DESCRIPTION" ], "strHostName": "KSC", # Hostname Administration Server "pFilter": { "type": "params", "value": {} }, "strTask": "103" # from nmw-web-console }' Response ID Response {"strIteratorId":"2C356F1FA5B5875980950999AD036094"} Get result from Response data ( ReportManager::GetStatisticsData) : EventProcessing::GetRecordRange curl --location --request POST 'https://localhost:13299/api/v1.0/EventProcessing.GetRecordRange' --header 'X-KSC-Session: na2b5M8XFBGHmP+P5+tDYcg==' --header 'Content-Type: application/json' --data-raw '{ "strIteratorId": "2C356F1FA5B5875980950999AD036094", #strIteratorId from response "nStart": 0, "nEnd": 20 }' Response statistics dashboard: Response {"pParamsEvents":{"KLEVP_EVENT_RANGE_ARRAY":[{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:47:57Z"},"task_new_state":1}},{"type":"params","value":{"GNRL_EA_DESCRIPTION":"Invalid destination folder. ","group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:46:03Z"},"task_new_state":3}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:46:03Z"},"task_new_state":1}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:46:02Z"},"task_new_state":32}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:45:58Z"},"task_new_state":32}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:45:58Z"},"task_new_state":1}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-16T23:04:00Z"},"task_new_state":4}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-14T23:04:00Z"},"task_new_state":4}}]}} Information at Reports Enumerates all existing reports. ReportManager.EnumReports curl --location --request POST 'https://localhost:13299/api/v1.0/ReportManager.EnumReports' --header 'X-KSC-Session: nejYJnFLwJgs14KpxeH9UMA==' Response all reports: Response { "PxgRetVal": [ { "type": "params", "value": { "RPT_CREATED": { "type": "datetime", "value": "2021-04-30T12:39:00Z" }, "RPT_DN": "Report on file operations on removable drives", "RPT_EXTRA_DATA": { "type": "params", "value": { "KLRPT_DONT_USE_SPACES_FOR_SLASHES": false, "KLRPT_EXPAND_PERIOD": true, "KLRPT_GLOBAL_SCOPE": false, "KLRPT_OWNER_SRV_INSTANCE": "e71217d1-4a96-462c-a56a-6112bdc5369b", "KLRPT_PROTECTION_INCLUDE_OK": false, "KLRPT_PROTECTION_INCLUDE_VM": true, "KLRPT_PROTECTION_INCLUDE_WARNING": true, "KLRPT_REPORT_ID": 27, #lReportId for next command Execute report ( ReportManager::ExecuteReportAsync) "KLRPT_SLAVE_EXEC_TIMEOUT": 300, "KLRPT_SLAVE_REC_DEPTH": 1, "KLRPT_TEMPORAL": false } }, "RPT_GROUP_ID": 0, "RPT_ID": 27, #lReportId for next command Execute report ( ReportManager::ExecuteReportAsync) "RPT_MODIFIED": { "type": "datetime", "value": "2021-04-30T12:39:00Z" }, "RPT_TYPE": 0 } }, USB Data transfer alert \ Report on file operations on removable drives available Execute report ( ReportManager::ExecuteReportAsync) ReportManager::ExecuteReportAsync curl --location --request POST 'https://localhost:13299/api/v1.0/ReportManager.ExecuteReportAsync' --header 'X-KSC-Session: na2b5M8XFBGHmP+P5+tDYcg==' --header 'Content-Type: application/json' --data-raw '{ "lReportId": 27, "pOptions": { "KLRPT_OUTPUT_FORMAT": { "type": "params", "value": { "KLRPT_TARGET_TYPE": 2 } } } }' Response ID Response {"strRequestId":"e54ff81b-bfe7-46bb-8f60-de1865bce47c"} Check status of the async action (AsyncActionStateChecker::CheckActionState) AsyncActionStateChecker::CheckActionState curl --location --request POST 'https://localhost:13299/api/v1.0/AsyncActionStateChecker.CheckActionState' --header 'X-KSC-Session: na2b5M8XFBGHmP+P5+tDYcg==' --header 'Content-Type: application/json' --data-raw '{"wstrActionGuid":"e54ff81b-bfe7-46bb-8f60-de1865bce47c"}' Response KLRPT_OUTPUT_FILE Response {"bFinalized":true,"bSuccededFinalized":true,"lStateCode":1,"pStateData":{"KLRPT_OUTPUT_FILE":"/KLRT/2f4a6361-ebeb-42d6-b044-03dc30573a83.json","KLRPT_OUTPUT_FORMAT":{"type":"params","value":{"KLRPT_TARGET_TYPE":2}}},"lNextCheckDelay":0} Get Data Get curl --location --request GET 'https://localhost:13299/KLRT/2f4a6361-ebeb-42d6-b044-03dc30573a83.json' --header 'X-KSC-Session: na2b5M8XFBGHmP+P5+tDYcg==' Response with the report data: Response {"data":{"summary":{"heading":"Report on file operations on removable drives","subhead":"Report on file operations on removable drives","description":"This report provides information about file operations performed on removable drives. This report is generated for all groups.", ...... Commands can be used for all reports: Server health status Threat detection details from reports Software Vulnerability details from Report on vulnerabilities etc. information at Dashboard KLRPT_DSH_TYPE - List of statistics dashboards types and attributes KLRPT_DSH_TYPE Diagram Meaning 22 Distribution of anti-virus bases versions on hosts (5 counters: actual, 1 day old, 3-days old, 7-days old, and more than 7 days old). detection of threats - 56 prohibited applications - 42 Most heavily infected devices - 14 Most frequent threats - 18, 19 Threat detection details (Critical, High, Medium) 40 Distribution of hosts with different vulnerability status (critical, high, warning, none). 26 License usage. 8 20 8 - Distribution of anti-virus protection states in time. 20 - Current state of the most anti-virus protection (number of hosts with the status Critical, Warning, and OK). AV Definition Status Send Request to obtain required data( ReportManager::RequestStatisticsData) : ReportManager::RequestStatisticsData curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/ReportManager.RequestStatisticsData' --header 'X-KSC-Session: npczf1aapMkBcNOV9rhVgHA==' --header 'Content-Type: application/json' --data-raw '{ "pRequestParams": { "KLPPT_DASHBOARD": { "type": "params", "value": { "AV-DB-2": { #AV-DB-2 - Same requested unique name (GUID) "type": "params", "value": { "KLRPT_DSH_TYPE": 22, #22 - value from table List of statistics dashboards types and attributes "bIncludeVS": false, "id": 0 } } } } } }' Response ID Response {"strRequestId": "BA357813B44D88306228D8614B081C11"} Get result from Response data operation ( ReportManager::GetStatisticsData) : ReportManager::GetStatisticsData curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/ReportManager.GetStatisticsData' --header 'X-KSC-Session: npczf1aapMkBcNOV9rhVgHA==' --header 'Content-Type: application/json' --data-raw '{"strRequestId": "E71313D620483B40309EA81415C34005"}' #strRequestId from ReportManager.RequestStatisticsData Response statistics dashboard: Response {"pResultData":{"KLPPT_DASHBOARD":{"type":"params","value":{"AV-DB-2":{"type":"params","value":{"KLRPT_DSH_TYPE":22,"bIncludeVS":false,"id":0,"nCount3Days":0,"nCount7Days":4,"nCountActual":1,"nCountDay":0,"nCountOld":1}}}}}} Threat detection details (Critical, High, Medium) Send Request to obtain required data ( ReportManager::RequestStatisticsData) : ReportManager::RequestStatisticsData curl --location --request POST 'https://localhost:13299/api/v1.0/ReportManager.RequestStatisticsData' --header 'X-KSC-Session: nz3Z1sQYVGWmpOcuBbRfjGQ==' --header 'Content-Type: application/json' --data-raw '{ "pRequestParams": { "KLPPT_DASHBOARD": { "type": "params", "value": { "threatsDetection-1": { #GUID "type": "params", "value": { "KLPPT_StatPeriodInSec": 2592000, "KLRPT_DSH_TYPE": 56, "bIncludeVS": false, "id": 0 }}, "prohibitedApps-1": { #GUID "type": "params", "value": { "KLPPT_StatPeriodInSec": 2592000, "KLRPT_DSH_TYPE": 42, "bIncludeVS": false, "id": 0 }}, "infectedDevices-1": { #GUID "type": "params", "value": { "KLPPT_StatPeriodInSec": 2592000, "KLRPT_DSH_TYPE": 14, "bIncludeVS": false, "id": 0 }}, "frequentThreats0": { #GUID "type": "params", "value": { "KLPPT_StatPeriodInSec": 2592000, "KLRPT_DSH_TYPE": 18, "bIncludeVS": false, "id": 0 }}, "frequentThreats1": { #GUID "type": "params", "value": { "KLPPT_StatPeriodInSec": 2592000, "KLRPT_DSH_TYPE": 19, "bIncludeVS": false, "id": 0 }} } } } }' Response ID Response {"strRequestId": "D988500C858EBAE332816C34E5588F7F"} Get result from Response data operation ( ReportManager::GetStatisticsData) : ReportManager:GetStatisticsData curl --location --request POST 'https://localhost:13299/api/v1.0/ReportManager.GetStatisticsData' --header 'X-KSC-Session: nz3Z1sQYVGWmpOcuBbRfjGQ==' --header 'Content-Type: application/json' --data-raw '{"strRequestId": "D988500C858EBAE332816C34E5588F7F"}' Response statistics dashboard: Response {"pResultData":{"KLPPT_DASHBOARD":{"type":"params","value":{"frequentThreats01":{"type":"params","value":{"DSHT_DATA":[{"type":"params","value":{"nCount":28,"wstrName":"EICAR-Test-File"}},{"type":"params","value":{"nCount":28,"wstrName":"UDS:HackTool.Win32.CreDump.cr"}},{"type":"params","value":{"nCount":24,"wstrName":"UDS:Trojan.Win32.Generic"}},{"type":"params","value":{"nCount":19,"wstrName":"HEUR:Trojan-PSW.Win64.Mimikatz.gen"}},{"type":"params","value":{"nCount":15,"wstrName":"Trojan-PSW.Win32.Mimikatz.gen"}},{"type":"params","value":{"nCount":5,"wstrName":"HEUR:Trojan-PSW.Win64.Convagent.gen"}},{"type":"params","value":{"nCount":2,"wstrName":"UDS:Trojan.Win32.Agent.xadwev"}},{"type":"params","value":{"nCount":1,"wstrName":"Trojan.Multi.GenAutorunProc.a"}},{"type":"params","value":{"nCount":1,"wstrName":"http://bug.qainfo.ru/test/wmuf_w/"}}],"KLPPT_StatFinishTime":{"type":"datetime","value":"2022-01-18T16:14:27Z"},"KLPPT_StatPeriodInSec":2592000,"KLPPT_StatStartTime":{"type":"datetime","value":"2021-12-19T16:14:27Z"},"KLRPT_DSH_TYPE":18,"bIncludeVS":false,"id":0}},"frequentThreats12":{"type":"params","value":{"DSHT_DATA":[{"type":"params","value":{"nCount":27,"wstrName":"UDS:HackTool.Win32.CreDump.cr"}},{"type":"params","value":{"nCount":22,"wstrName":"UDS:Trojan.Win32.Generic"}},{"type":"params","value":{"nCount":9,"wstrName":"EICAR-Test-File"}},{"type":"params","value":{"nCount":4,"wstrName":"HEUR:Trojan-PSW.Win64.Mimikatz.gen"}},{"type":"params","value":{"nCount":3,"wstrName":"Trojan-PSW.Win32.Mimikatz.gen"}},{"type":"params","value":{"nCount":1,"wstrName":"HEUR:Trojan-PSW.Win64.Convagent.gen"}}],"KLPPT_StatFinishTime":{"type":"datetime","value":"2022-01-18T16:14:27Z"},"KLPPT_StatPeriodInSec":2592000,"KLPPT_StatStartTime":{"type":"datetime","value":"2021-12-19T16:14:27Z"},"KLRPT_DSH_TYPE":19,"bIncludeVS":false,"id":0}},"infectedDevices-2":{"type":"params","value":{"DSHT_DATA":[{"type":"params","value":{"nCount":114,"wstrInternalName":"1ccdd245-2850-424a-9f63-a35b115cbced","wstrName":"WIN10-KES-EDR"}},{"type":"params","value":{"nCount":7,"wstrInternalName":"3e043993-8332-4e1c-958e-a750cd3d0c7c","wstrName":"KHRAMEEV-WIN10"}},{"type":"params","value":{"nCount":2,"wstrInternalName":"c160e768-ba47-47e7-a905-d7c3d39b74d4","wstrName":"khrameev-ub19"}}],"KLPPT_StatFinishTime":{"type":"datetime","value":"2022-01-18T16:14:27Z"},"KLPPT_StatPeriodInSec":2592000,"KLPPT_StatStartTime":{"type":"datetime","value":"2021-12-19T16:14:27Z"},"KLRPT_DSH_TYPE":14,"bIncludeVS":false,"id":0}},"prohibitedApps-2":{"type":"params","value":{"DSHT_DATA":[],"KLPPT_StatPeriodInSec":2592000,"KLRPT_DSH_TYPE":42,"bIncludeVS":false,"id":0}},"threatsDetection-2":{"type":"params","value":{"DSHT_DATA":[{"type":"params","value":{"nCount":67,"nType":1,"wstrName":"File Threat Protection"}},{"type":"params","value":{"nCount":45,"nType":10,"wstrName":"Scan task"}},{"type":"params","value":{"nCount":9,"nType":3,"wstrName":"Web Threat Protection"}},{"type":"params","value":{"nCount":2,"nType":6,"wstrName":"Host Intrusion Prevention"}}],"KLPPT_StatFinishTime":{"type":"datetime","value":"2022-01-18T16:14:28Z"},"KLPPT_StatPeriodInSec":2592000,"KLPPT_StatStartTime":{"type":"datetime","value":"2021-12-19T16:14:28Z"},"KLRPT_DSH_TYPE":56,"bIncludeVS":false,"id":0}}}}} End Session to KSC (Session::EndSession) : Session::EndSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.EndSession' --header 'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A==' #PxgRetVal from Session.StartSession