All Activity

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. You need a Mac device with macOS 14+ to supervise iOS device log via Apple Configurator Your iOS device will be reset to factory settings during supervising Download Apple configurator via App Store. Run Apple Configurator. Connect your iOS device. Unlock the device and tap Trust. Select your device and click on the Prepare button Select 'Manual Configuration'. Check 'Supervise devices' and 'Allow devices to pair with other computers' (if you want to allow it). Click on the Next button. Leave it on "Do not enroll in MDM" and click on the Next button Click on the Skip button Enter information about your organization (only 'Name' filed is mandatory'). Click on the Next button. Select 'Generate a new supervision identity'. Click on the Next button. In the next window you should choose which steps will be presented to the user in Setup Assistant. You can choose 'Show all steps', 'Do not show any of these steps' and 'Show only some' steps - in this options you must select the steps. Click on Prepare button. Enter password for your macOS account Click on Erase button. Your device will be reset to factory settings. Wait while your device will be prepared When your device will be turned on, you should see that your device is supervised and managed by your organization in device settings Now you can install iOS MDM profile to this device and apply iOS MDM policy with options for supervised devices.

Description Error looks like this: You can't download trace log. But there is free space on the disk: Cause You will see this error if free disk space less than 10G. KWTS is not in sizing 200 GB of hard drive space, which includes: 25 GB for temporary file storage 25 GB for log file storage How to solve a problem Bring disk sizing to minimum hardware requirements

Description After generating a trace log and then attempting to download it via the KWTS 6.1 web interface, it fails with an error if the trace log is more than 1GB (one gigabyte). The error is duplicated on different devices in different browsers: Mozilla, Chrome, Edge. In Mozilla, the download stops with "Failed to download file" Chrome goes into an endless download attempt, the download is interrupted at 1GB, after which the speed drops to 0kb/s and the download starts all over again. How to solve To resolve the problem with downloading a large trace log, follow this procedure: 1) Connect to the Kaspersky Web Traffic Security node via SSH to access the technical support mode. If SSH access has not been previously configured, you must first log into the web interface as a local administrator and configure access by uploading the SSH public key. 2) Go to the /etc/nginx/conf.d directory, make a backup copy of the kwts_webapi.conf and kwts_controlapi.conf files if you have not done so before: cd /etc/nginx/conf.d cp -p kwts_webapi.conf kwts_webapi.conf.backup cp -p kwts_controlapi.conf kwts_controlapi.conf.backup 3) Open the /etc/nginx/conf.d/kwts_webapi.conf file for editing and add the line marked below in green to the location /web/api block: location /web/api { ... uwsgi_max_temp_file_size 0; include uwsgi_params; ... } 4) Open the /etc/nginx/conf.d/kwts_controlapi.conf file for editing and add the line marked below in green to the location /ctl/v1 block: location /ctl/v1 { ... uwsgi_max_temp_file_size 0; include uwsgi_params; } 5) Restart nginx using the command systemctl restart nginx 6) Check the status of the nginx service, it should be running. systemctl status nginx The described steps must be repeated on each node of the Kaspersky Web Traffic Security cluster. After completing the procedure, restart your web browser and reconnect to the Kaspersky Web Traffic Security 6.1 web interface.

To create a Certificate Signing Request file using the openssl utility: 1. Prepare a file named sandbox.config with the following contents: [req] default_bits=2048 prompt=no default_md=sha256 req_extensions=req_ext distinguished_name=dn [dn] C=AE ST=North L=Dubai O=ABC LAB OU=IT Security emailAddress=security@abc.lab CN=katasb.abc.lab [req_ext] subjectAltName=@alt_names [alt_names] DNS.1=katasb.abc.lab 2. Create a private RSA key with the PEM extension (without a passphrase): #openssl genrsa -out sandbox.key 2048 3. Create a Certificate Signing Request using the following command: #openssl req -new -sha256 -key sandbox.key -out sandbox.csr -config sandbox.config 4. Generate the certificate (as Web Server certificate) from Internal CA in Base 64 encoded and copy the certificate and key to the KATA SB Server Note: you might need to allow the connection using WinSCP (https://forum.kaspersky.com/topic/how-to-copy-files-tofrom-kata-katakedre-37146/ section 1.2). Access your internal CA from Domain Controller using https://dc.abc.lab/certsrv and follow the instructions as below screenshots. 5. To convert the DER encoded PKCS#7 file, use the following command: #openssl x509 -inform PEM -in sandbox.cer -out sandbox.crt 6. On the Sandbox server in SSH mode, Create a backup of original files both the private key and the certificate with same rights as it was before. #cp -p /etc/nginx/ssl/server.crt /etc/nginx/ssl/server.crt.orig #cp -p /etc/nginx/ssl/server.key /etc/nginx/ssl/server.key.orig 7. Replace the original files with your files #cat my_cert.crt > /etc/nginx/ssl/server.crt #cat my_cert.key > /etc/nginx/ssl/server.key 8. Rights and owner of the files should be same #ll /etc/nginx/ssl -rw-r----- 1 root klusers 2008 Feb 8 15:51 server.crt -rw------- 1 root root 1732 Feb 8 15:51 server.key 9. If the rights are different for the new files, then use the below command to change the rights and ownership #chmod 640 server.crt #chown root:klusers server.crt #chmod 600 server.key #chown root:root server.key 10. Restart nginx service #systemctl restart nginx.service 11. Open the KATA SB Web UI using the hostname and verify the certificate.

Descriptrion You can see an issue like this: You can also find log entries like this in diagnostic_info\logs\var\log\kwts-traces.log Line 1538367: Jan 11 18:12:33 kwts2 KWTS Licenser[1154]: 1241 INF httpcli#011Req 0x7fecd003b9d0 CURL: Could not resolve host: activate.activation-v2.kaspersky.com Line 1538460: Jan 11 18:12:33 kwts2 KWTS EventLogger[1062]: 1102 DBG APP: void lms::event_logger::LoggerHelperProcFrontend::SendCommand(const lms::event_logger::HelperProcCommand&, const string&)message is: license error: Could not resolve host Or like this Line 4667143: Nov 18 16:02:12 32-vs-kwts02 KWTS Licenser[1675]: 35735 DBG APP: virtual result_t lms::licenser::utils::RequestCompleteEvent::OnRequestComplete(licensing::facade::product::ILicensing*, licensing::facade::product::activation_action::Type, const ActivationCode&, result_t, licensing::facade::product::IActivationContent*) actionType = 0, activationCode = AW65R-BZ8CG-KBQ18-ANNZ2, result = 0xa0430005 Line 4667349: Nov 18 16:02:12 32-vs-kwts02 KWTS EventLogger[1552]: 1592 DBG APP: void lms::event_logger::Journalist::Write(const lms::event_logger::JournalRecord&) JournalRecordData(dateTime.dt: 133132501328539280, type: 9, person: kluser, result: 1, description: license error: Could not resolve host, details: { "name": "LicenseErrorEvent", "data": {#012 "reason": -1608777683#012} }) How to solve a problem It means that the problematic node could not resolve activation service. Check an access to activation services from the problematic node curl -v https://activation-v2.kaspersky.com/ --cacert activation-v2.kaspersky.crt And if there is no success connection, open an access to https://activation-v2.kaspersky.com https://activation-v2.kaspersky.com/ActivationService/ActivationService.svc And check a page with configuring network access - https://support.kaspersky.com/KWTS/6.1/en-US/189764.htm

Да, наверное. Ну и в главном окне продукта висит. В ветке репорта проблеме выставлен приоритет 4 (самый низкий), и вообще она закрыта для обсуждения. Так что ничего тут такого особенного разрабы AG не видят. Это больше пользователи возмущаются.)

Description You can face an issue like this on Events page in KWTS: Sometimes the search on the Events page works correctly. Sometimes not.. If you collect har-file (HOW TO) from Events page with reproduced issue you will see an error also in it: Also you can find an error in diagnostic_info\logs\var\log\kaspersky\kwts\extra\webapi.log: celery.backends.base.SoftTimeLimitExceeded: SoftTimeLimitExceeded(True,) Then you should check Maximum event log size (https://support.kaspersky.com/KWTS/6.1/en-US/174773.htm) in settings here: diagnostic_info\klinfo\worker_settings.xml Maximum event log size set to 10 GB. How to solve a problem You should set it to 9 GB. The KWTS architecture is not designed for a large event database size.

Don't forget to install 6.0.1 and 6.0.2 patch, which fixes some bugs in ICAP integration. Description and cautions Since we have new ICAP working modes, presented in KATA 6.0 - https://support.kaspersky.ru/KATA/6.0/en-US/247269.htm , we would like to show you, how to configure such integration on example of squid proxy server. Added ICAP integration with feedback. ICAP integration with feedback can work in two modes: Standard scan. In standard scan mode, the object is scanned by all supported technologies. While being scanned by the Sandbox component, the object remains available. If a threat is detected, the object is blocked. Advanced scan. In the advanced scan mode, objects are scanned by all supported technologies. While being scanned by the Sandbox component, the object is not available. If a threat is detected, the object is blocked. Details Reminder - this is just an example, but working one:) Squid configuration part Assuming you already have squid installed with default configuration (of course, yours could be different according to your infrastructure), add following lines in the end of /etc/squid/squid.conf (surely, change the IP address to yours) icap_enable on adaptation_send_username on adaptation_send_client_ip on icap_service kata_req reqmod_precache icap://10.68.56.219:1344/av/reqmod icap_service kata_resp respmod_precache icap://10.68.56.219:1344/av/respmod adaptation_access kata_req allow all adaptation_access kata_resp allow all icap_service_failure_limit -1 The only thing we changed here as well is at the start of squid.conf - source subnet, in order to adapt server to our Lab # # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.68.56.0/23 We also recommend to add these lines below as well, so you would be able to analyze ICAP logs logformat icap_squid %tl %6tr %rm %ru %rp %6icap::tr %>a %icap::to/%03icap::Hs %icap::rm %icap::ru %un %icap::<A %icap::<st %icap::>st %icap::<bs %icap::>h %icap::<h %icap::tr %icap::tio icap_log /var/log/squid/icap.log icap_squid ICAP logs are located at /var/log/squid/icap.log and look like So the whole picture should look like this Testing part If standard scan mode is enabled, let's check on KATA side, how it looks like in /var/log/kaspersky/services/preprocessor_icap/preprocessor_icap.log grep --color 'blocking_simple mode' | grep 'verdict' In this example we can see that from URL file was scanned with verdict: clean (whitelist) 09:41:46.697 INF 137781 server/source/file_handler_respmod.cpp:435 [sid: 0x0000004d] RESPMOD: Finish processing file in blocking_simple mode (request url: 'r3.o.lencr.org', size: 503, filename: 'baf664a8a7841e1d057f5ab0da58bcf0', uuid: 5cc2d18781924f98b6e4961494125616, md5: baf664a8a7841e1d057f5ab0da58bcf0, format: GeneralBin), processing time: 0.147ms, verdict: clean (whitelist) File from URL with verdict: clean (cached) 09:40:14.476 INF 137778 server/source/file_handler_respmod.cpp:435 [sid: 0x0000004a] RESPMOD: Finish processing file in blocking_simple mode (request url: 'detectportal.firefox.com/success.txt?ipv6', size: 8, filename: 'success.txt', uuid: 25f155a67eff4a4a90b33dbbb4f3367c, md5: ae780585f49b94ce1444eb7d28906123, format: GeneralTxt), processing time: 0.124ms, verdict: clean (cached) URL with verdict: good (KSN) 09:42:37.334 INF 137780 server/source/file_handler_reqmod.cpp:187 [sid: 0x0000004c] REQMOD: Finish processing url in blocking_simple mode ('box.kaspersky.com'), processing time: 3ms, verdict: good (KSN) File from URL verdict: clean (scanned) 09:35:14.691 INF 137770 server/source/file_handler_respmod.cpp:435 [sid: 0x00000042] RESPMOD: Finish processing file in blocking_simple mode (request url: 'detectportal.firefox.com/success.txt?ipv4', size: 8, filename: 'success.txt', uuid: 4c87c81cf3d543ceb6694d917329d2b8, md5: ae780585f49b94ce1444eb7d28906123, format: GeneralTxt), processing time: 124.894ms, verdict: clean (scanned) URL with verdict: bad (KSN) 10:05:18.354 INF 137802 server/source/file_handler_reqmod.cpp:187 [sid: 0x00000062] REQMOD: Finish processing url in blocking_simple mode ('kaspersky.com/test/wmuf'), processing time: 146ms, verdict: bad (KSN) If advanced scan mode is enabled, let's check on KATA side, how it looks like in /var/log/kaspersky/services/preprocessor_icap/preprocessor_icap.log grep --color 'blocking_advanced mode' | grep 'verdict' Picture is pretty the same, but from browser side you will see that object is blocked/inaccessible 10:54:01.341 INF 139635 server/source/file_handler_reqmod.cpp:187 [sid: 0x0000000e] REQMOD: Finish processing url in blocking_advanced mode ('bug.qainfo.ru/test_cloud/wmuf'), processing time: 27ms, verdict: bad (KSN) 10:54:20.467 INF 139635 server/source/file_handler_reqmod.cpp:187 [sid: 0x0000000e] REQMOD: Finish processing url in blocking_advanced mode ('secure.eicar.org:443'), processing time: 0ms, verdict: good (KSN) 10:50:45.303 INF 139632 server/source/file_handler_respmod.cpp:435 [sid: 0x0000000b] RESPMOD: Finish processing file in blocking_advanced mode (request url: 'ocsp2.globalsign.com/gsorganizationvalsha2g3', size: 1461, filename: 'gsorganizationvalsha2g3', uuid: f88dd52252da4fdf8aaabc3aafdbdb0a, md5: 9a3ec48893b2952f013e03311b878e18, format: GeneralBin), processing time: 0.346ms, verdict: clean (whitelist) During tests at KATA web UI you should see activity on ICAP dashboard and under Security office we can see two alerts, generated after our tests (10.68.56.227 is squid IP address) In real world, of course, you will see other detects as well, for instance, on infected objects and malicious URLs.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem You change the account of the administration server service via the klsrvswch tool. Note that this is the only way to change the account, manual modification (for example, via services.msc) is not supported. Then, the you run the Install required updates and fix vulnerabilities task. As a result, the task is cancelled and updates are not installed. Diagnostics The following error can be found in $klserver-1093.log: 20.11.2023 10:26:16.683 00000ADC.000028C0 L4 KLSTD: Error 0x5 accessing the file 'C:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer\#WSUS#', m_dwWin32Access=0x80000000, m_dwWin32Creation=0x3, m_dwWin32Flags=0x8000000 20.11.2023 10:26:16.683 00000ADC.000028C0 L1 KLSTD: Error ERROR_ACCESS_DENIED (attempt 186 from 300) for the file 'C:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer\#WSUS#' When checking permissions of the file C:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer\#WSUS#, it lacks the new service account assigned to the kladminserver service: In this example, the Administration Server account is the old service account used to start the KSC service. Workaround Add the new KSC Service account or the KLAdmins group to the access control list of the #WSUS# file and grant it full access:

Versions Applicable to versions above 5: 5.0, 5.1, 6.0, 6.0.1, etc. You can fancy access log-history logs (former apt-history) directly for convenience purposes or if the kata-collect-siem-logs tool is malfunctioning for some reason. These logs are in gzip, sorted by dates, as files with names in format: /data/volumes/s3proxy/log-history/YYYY-MM-DD-HH-MM-SS, where YYYY-MM-DD-HH-MM-SS is the datetime. basename -a /data/volumes/s3proxy/log-history/2024* 2024-01-01-13-55-03 2024-01-17-12-00-14 2024-01-17-12-05-14 To access these logs, use the respective zless; zgrep; zcat tools. For example: zcat /data/volumes/s3proxy/log-history/2024-01-17-12-05-14 2024-01-17 12:00:59.924639 info apt-history: New IDS alert: {id: 63, importance: High, hidden: False, rule_id: 51310592, excluded rule: False, src: 18.156.136.240:80, dest: 10.63.100.252:2198, bases_version: 202401170033} Bonus: you can also use these tools to read rotated logs of kataservices in /var/log/kaspersky/services/: zgrep "FileNotFoundError" /var/log/kaspersky/services/web_backend/web_backend.log.1

Versions Applicable to versions later than 5.0, 5.1, 6.0, 6.0.1, etc. Problem There are several cases where the standard method of changing interface network settings via the Web UI is not available, e.g. the Web UI is inaccessible. Solution Become root, save the nodes settings: sudo su console-settings-updater get /deploy/deployment_api/nodes | python3 -m json.tool > /tmp/nodes Open the saved file for editing: vim /tmp/nodes Locate the desired network_settings, ifaces node, change the values tat you need to change: { "cc2cx0fltsjmxolid99p5loen": { "id": 1, "hostname": "1.srv.node1.node.dyn.kata", ... "network_settings": { "ifaces": [ { "iface_name": "ens160", "configuration_type": "static", "span": false, "address": "10.68.56.215", "netmask": "255.255.254.0", "gateway": "10.68.56.1", "mac": "00:50:56:a5:39:f6" }, { "iface_name": "ens192", "configuration_type": "static", "address": "100.100.100.100", "netmask": "255.255.255.0", "gateway": "100.100.100.1", "mac": "00:50:56:a2:5a:f6" } ] } } } Save your changes and exit Vim. Verify that the JSON structure is valid (the command returns no errors): cat /tmp/nodes | python3 -m json.tool Import the modified settings back: console-settings-updater set /deploy/deployment_api/nodes @/tmp/nodes

Description Here's how to install KATA 6.0 Ubuntu edition in KVM environment - https://support.kaspersky.ru/KATA/6.0/en-US/265697.htm In the example below we use RHEL 9.3, installed as VM in VMware Workstation Pro 17.0 Step-by-step guide First, you have to install QEMU/KVM , all steps are described HERE Then install from Software application Virtual Machine Manager, here it's 4.1.0 version. After successful installation just open up Virtual Machine Manager application, and click on the icon "Create a new virtual machine" Assuming, you have KATA Ubuntu ISO locally in OS, choose option below and click "Forward" Click "Browse" and "Forward" Click "Browse Local" Locate KATA Ubuntu ISO and click "Open" Next, do the steps as shown on picture below Click "Yes" Assign resources to VM according to THIS article (ignore our settings below, it's just a demo) and click "Forward" Configure a disk (ignore our settings below, it's just a demo) and click "Forward" Name your VM, select a network and click "Finish" Now you should see installation window, proceed like you usually do with standard KATA installation on VMware In this window select ONLY "single", cause KVM supports only this type of installation Select a disk and click "OK" Wait a bit and you should see that installation starts, and now you just have to wait for next step of installation/configuration Now select subnets (usually use default ones) by pressing Enter Choose network > assign IP (static or dhcp, in our example we use dhcp) > set password length and password itself > configure DNS servers Choose if you want capture traffic via SPAN (y or n) > configure NTP servers That's it, KATA installed Now you can login to web UI and configure server, in our example IP of server is 192.168.122.47, let's login to https://192.168.122.47:8443 and voila "Configure" and wait for completion

Scenario: KATA/EDR CN is integrated with the KPSN server, and you want to enrich the KPSN reputation database with the detections from the sandbox server. You can integrate a KATA Platform Central node with the KPSN reputation database and automatically populate it with information about the files that the sandbox technology finds to be dangerous and highly important. Pre-requisites: To configure sending checksums of the files detected by the sandbox technology to KPSN, you will need a certificate of a KPSN user account entitled to use KPSN API. Download the certificate (both parts, public and private) of a KPSN user who has permission to use KPSN API from the user’s profile in the KPSN web console. The KPSN administrator has the required permissions, but a pair of encryption keys of any user allowed to access the KPSN API will do as well. and key from the user’s profile from the KPSN web interface. You can provide the API access to the required user from KPSN Web UI → Users → and the API option should be enabled under permissions. To send the sandbox detections to KPSN: In the central node administrator’s console, open Settings | KPSN reputation database and specify: HOST – IP address of the KPSN server where the local KPSN reputation database is stored; TLS Certificate – a certificate for the user authentication in KPSN; TLS encryption key – private encryption key; There are two or more servers with different roles in a typical KPSN installation. A KPSN server can have several roles. Specify the IP address of the KPSN server that has the Monitoring Service role. In the Central node console of a senior security office, open Settings | KPSN reputation database and select the checkbox to Assign the ‘Untrusted’ status to objects. You can upload the test file to the KATA Central node for scanning, once the file is detected by Sandbox component, the checksum of the detected file will be published in the KPSN local reputation database. The KPSN administrator can manually create records in the KPSN reputation database. A record added by KATA/EDR has the KATA tag in the description. You cannot delete the KATA records, but you can disable them. Below screenshot display the samples hashes added in the KPSN Reputation database from the KATA server.

Description and cautions One may need to change the admin account's password (the account used for SSH login). KATA 5.0 For KATA 5.0 this article is not applicable. No option to change Local Administrator/ Cluster Administrator in pseudo-graphic menu available by default in 5.0 See https://forum.kaspersky.com/topic/how-to-reset-kata-web-administrator-password-in-kata-50-katakedre-36844/ Details In case of standalone Central node: Login to the web-interface of the CN. Enter admin credentials (used for SSH login). Go to admin account > change password as per below In case of Distributed deployment (PCN and SCN): Login to the web-interface of PCN. Enter admin credentials (used for SSH login). Go to admin account -> change password Login to SCN via SSH and change using the pseudographic menu ("Change cluster admin password..." option)

The KESMac 12 and the KESMac 11.3 patch C allows adding particular processes into the trusted section named Trusted Applications. The both filesystem and network activity of which can be ignored by the product increasing performance. Please, however, note that this could be potentially risky. https://support.kaspersky.com/KESMac/11.3_adminguide/en-US/194142.htm Problem This article will describe a few ways to configure KES for Mac to exclude some of the software from the scope of the product. Solution Trusted applications In order to have an ability to exсlude an application from scanning with KES, a function of Trusted Applications available in Kaspersky Endpoint Security for Mac can be used: The Trusted applications section as seen in the policy creation wizard. Naturally, it can be configured later by modifying the policy. Update the plugin to at least version 11.3.0.33 to get the new functionality. In some specific cases it might be required to put several binaries to Trusted Applications simultaneously in order to take effect. So, a final solution might include several path-based exclusions accompanied by a few BundleID-based ones. Trusted Applications are only available for configuration via KSC policy; i.e. it is currently impossible to add application to exclusions having no KSC installed. Additionally, an appropriate application control plug-in for KESMac must be downloaded and installed on the KSC prior to using Trusted Application functionality. It can be found on the corresponding download page. Common exclusions for developers It's suggested excluding the following paths: "/Library/Developer/CommandLineTools" and "/Library/Toolchains" for the standard developers' utilities, as well as the "/Applications/Xcode.app/*" for the XCode. At the same time, in case you use alternative tools, contact Kaspersky Support to get the exact paths for further exclusions. Excluding TCP 443 from port monitoring Additionally, in case of HTTPS-connectivity issues, unchecking port 443 in Monitored ports may also help:

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem Description, Symptoms & Impact KES File Threat Protection sometimes can't check Microsoft office documents from mounted Google Drive shares, therefore generating Processing error events. This issue is caused by an incompatibility between Google Drive VFS driver and KES. There are no plans on making KES compatible with Google Drive. Workaround & Solution As a workaround, add files with Office extensions stored on the share to exclusions, this shouldn't lower protection, because Office creates a temporary copy of a document when it is opened, which will not be in the exclusion scope and will still be checked. Example for .xlsx files: Path\to\google\drive\folder\*.xlsx, where Path\to\google\drive\folder is replaced with an actual path.

This article will help you to check EDRO component correct installation and integration. What you need to know about EDRO 1 EDRO working with KES 11.7+, KSWS 11.0.1 and KSV LA 5.2 (Windows only), so called EPP https://support.kaspersky.com/KEDR_Optimum/2.3/en-US/216855.htm 2 You must use NWC for EDRO 3 You can't use only KEA for EDRO scenario. It always integrates with EPP. How to check that EDRO component installed correctly First of all you need to check whether KEA component was installed or not. And if it's installed then was it integrated with EPP. KES Starting with KES 11.7 EDRO agent is integrated in the KES. First of all, check component status in MMC or NWC MMC NWC If you see Not supported by license, pay attention to the version. If you see 0.0.0.0 or N/A, it means that component is not installed. Not supported by license doesn't mean that there is no license for EDRO, it may mean that component is not installed on the host. When component is installed but not activated, you'll see installed component version: MMC NWC If component was installed and was not activated, it will look like this in the KES GUI: If component is not installed, then there will be no Detection and Response section in the KES GUI (in case MDR is installed, then there will be section Detection and Response, but there will be no Endpoint Detection and Response Optimum like you see above). How to check EDRO license in the KES UI You can check license components in the KES GUI. If there is no Optimum word, license do not support EDRO. For example: And there's an example when license key supports EDRO: KSWS During KSWS installation you must enable Endpoint Agent, even if KEA was already installed on the host. KSWS detects it and enables connector with existing KEA (KEA will not be reinstalled). This is how correctly installed KSWS + KES looks like in the MMC: And if it not installed: KSV LA There is no change components task. You can change them only during the upgrade or installation. Reinstallation requires reboot. During installation you need to choose Custom installation and enable integration with KEA Remember that you can enable integration in the installation package properties in the KSC. How to check NWC setup for EDRO What to do if there is no Alerts section in the NWC. How it looks If there is no Alerts section in the WEB UI Go to the settings: And enable EDR alerts: In the KSC NWC there will be EDRO plugin by default. It installs with the console. So the only way to reinstall it - reinstall NWC. How detection looks without installed EDRO component If you see detection but without enriched information, you'll see it like this: In the Enrichment and response section you'll see only Basic. It means where was a detection but no additional information about it was collected. Main reason why this may happen is that there's no EDRO component on the host.

Step-by-step guide You need a Mac device to collect iOS device log via Apple Configurator. Download Apple configurator via App Store. Run Apple Configurator. Connect your iOS device. Unlock the device and tap Trust. Open the iOS device → Console. Reproduce the issue. Save the log in Apple configurator. Try to save the log as soon as possible after you reproduce the issue, because the log is constantly being overwritten. Send the collected log file to Kaspersky support for further analysis.

Problem Description, Symptoms & Impact Sometimes an error might occur when installing KSE: KseCheckServicePortIsFreeActionStep has completed with an error: Service network port 13100 is occupied by another application… Diagnostics Screenshot or KSEInfoCollector. Make sure that port 13100 is open and not used by any application, and repeat the installation. This can be done using the command below. You will see a chart with a process ID (PID column) next to the address and port: netstat -aon | findstr 13100 You can then find this process by the ID in Task Manager or using the command below. Use the process ID you found in the previous command instead of the %PID% below: tasklist /fi "pid eq %PID%" Example tasklist /fi "pid eq 18060" Workaround & Solution There's no way to change the port used by KSE. So, the only option here is to free the port used by an application and repeat the installation. Sometimes ISS or W3WP.exe might be using the port. In some cases, this port is occupied after the Exchange updates, and the port should be released after the server restart. RCA Some application is using the port 13100.

Problem In previous versions of KATA it was possible to mount an NFS share to copy backups to. In KATA 5.x only CIFS share mounts are available out-of the box. Error root@1.srv.node1.node.dyn.kata:/home/admin# mount -t nfs 10.225.62.41:/mnt/NFS/KXDR /mnt/nfs mount: /mnt/nfs: bad option; for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount.<type> helper program. Solution Install packages manually via dpkg in the following order to add NFS support: dpkg -i /home/admin/libtirpc-common_1.2.5-1_all.deb dpkg -i /home/admin/libtirpc3_1.2.5-1_amd64.deb dpkg -i /home/admin/keyutils_1.6-6ubuntu1_amd64.deb dpkg -i /home/admin/libnfsidmap2_0.25-5.1ubuntu1_amd64.deb dpkg -i /home/admin/rpcbind_1.2.5-8_amd64.deb dpkg -i /home/admin/nfs-common_1.3.4-2.5ubuntu3.5_amd64.deb

Problem description: After generating the client certificate on central node and upload it to KES policy, you can get the below error: Enter a crypto-container password to use the certificate. Note: If you are using KEA as a standalone product with KEA policy, you can upload the client certificate properly. Root cause: By default, the cryptographic container is not password-protected. The cryptographic container contains only the certificate file, but not the private key file. KES policy does not apply certificate without password (only KEA does). Solution: Access the central node SSH under root account 1) Export you current certificate to a passwordless pem type: #openssl pkcs12 -in mycert.pfx -out tmpmycert.pem -nodes Enter Import Password: <Enter no password> MAC verified OK 2) Convert the passwordless pem to a new pfx file with password: #openssl pkcs12 -export -out mycert2.pfx -in tmpmycert.pem Enter Export Password: <Enter password here> Verifying - Enter Export Password: <Enter password here> Now you can use the new mycert2.pfx file with your new password.

То есть все-таки это периодическое уведомление в продукте. Которое невозможно навсегда отключить.

Problem While WTP/NTP is enabled, nft utility produces errors (stderr) like # nft list ruleset XT target TPROXY not found XT target TPROXY not found XT target TPROXY not found XT target TPROXY not found These errors are caused by a bug in nft utility and xt_TPROXY dynamic library. This effect does not indicate functionality issues. This bug may be reported to netfilter.org developers. Explanation Whenever nft utility lists traffic rules, it dynamically loads extension libraries (for example, from /usr/lib/x86_64-linux-gnu/xtables in Debian OS) including TPROXY and CONNMARK. When nft encounters first ipv4 rule, it sets global "family=ipv4" state via xtables_set_nfproto function, then loads libxt_TPROXY.so which has both ipv4 and ipv6 targets, but ipv6 are ignored due to the flag. After that, nft processes ipv6 rules but there are no ipv6 targets for them. As a result, nft utility produces errors "XT target TPROXY not found".

Issue: Some log files in KWTS take up a lot of disk space. Log rotation for these files does not work For example: Information Information about logs sizing and rotation you can find in files in /etc/logrotate.d folder on the KWTS server. The size of log files should be no more than: Log file In what file it described Size of a log file should be no more than: All files in /var/log/kaspersky/kwts/extra/ /etc/logrotate.d/kwts 100 MB /var/log/kwts-messages /etc/logrotate.d/kwts-syslog 500 MB /var/log/kwts-important /etc/logrotate.d/kwts-syslog 50 MB /var/log/kwts-traces /etc/logrotate.d/kwts-syslog 500 MB /var/log/nginx/access.log /etc/logrotate.d/nginx 100 MB /var/log/nginx/error.log /etc/logrotate.d/nginx 20 MB /var/log/squid/icap.log /etc/logrotate.d/squid 100 MB /var/log/squid/ssl.log /etc/logrotate.d/squid 100 MB /var/log/squid/squid.out /etc/logrotate.d/squid 10 MB /var/log/squid/cache.log /etc/logrotate.d/squid 500 MB /var/log/squid/access.log /etc/logrotate.d/squid 500 MB /var/log/messages /etc/logrotate.d/syslog 100 MB /var/log/cron /etc/logrotate.d/syslog 10 MB /var/log/maillog /etc/logrotate.d/syslog 10 MB /var/log/secure /etc/logrotate.d/syslog 20 MB /var/log/spooler /etc/logrotate.d/syslog 1MB How to fix Actual result kwts-traces log-file has frown to 4 GB: Expected result kwts-traces file no more than 500 mb How to fix Be prepared that you will need to reboot the server and it will not process traffic while it is rebooting. And you need ssh-access to the KWTS server - https://support.kaspersky.com/KWTS/6.1/en-US/183526.htm Make sure that trace lever is in "Error" mode - https://support.kaspersky.com/KWTS/6.1/en-US/174877.htm Delete the largest log-files (in our case it is /var/log/kwts-traces) . If you need to clear additional disk space, you can delete large archive files if you are sure that you do not need the information in them Reboot the KWTS server and make sure that the deleted large files (/var/log/kwts-traces) are recreated Find out in table above in what file we can find information about kwts-traces rotation . It is kwts-syslog Execute following command logrotate -f -v /etc/logrotate.d/kwts-syslog &> logrotatef.log Make sure that all log-files which described in /etc/logrotate.d/kwts-syslog file were rotated. (You can see which log files are described in this file in the table above) What's next Kindly monitor that previously broken files (kwts-traces) do not exceed 500-600 MB. If it continues to grow and is already 700 MB or more, then run the command /usr/sbin/logrotate -v -s /var/lib/logrotate/logrotate.status /etc/logrotate.conf &> logrotatestatus.log And send logrotatef.log file from step 6 and logrotatestatus.log file to Kaspersky Support. And also send diagnostic info in "Debug" level. Do not forget to change it back to "Error" level - https://support.kaspersky.com/KWTS/6.1/en-US/174877.htm

Problem Description, Symptoms & Impact The problem persists over different browsers, incognito mode and computers. The training status is "In Progress". The number of problematic users is small usually limited to 1-5. Diagnostics The issue usually presents itself on the student's (not admin's) side as a grey (non-active) button or a page that is not loading completely. Workaround & Solution Clear the cache and cookies in the browser. Pause the training for the problematic user and then restart the training.