Jump to content

All Activity

This stream auto-updates

  1. Past hour
  2. Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem When you assign KSC as WSUS all hosts are not able to download anything from Microsoft Store. It is a Microsoft's design limitation. Description When KSC acts as WSUS group policy (GPO) "DoNotConnectToWindowsUpdateInternetLocations" is applied to the hosts. It is needed to prohibit hosts from downloading updates from the Internet (it is relevant for Windows 10/Server 2016). Such limitation blocks the ability to download applications from Microsoft Store. Microsoft explanation More details about this behavior can be found in the following link: https://cloudblogs.microsoft.com/windowsserver/2017/01/09/why-wsus-and-sccm-managed-clients-are-reaching-out-to-microsoft-online/ Solution In case if you need this ability back and don't mind hosts download updates from the Internet, you can apply the following solution: Stop KSC server service Open registry editor "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1093\1.0.0.0\ServerFlags" Create server flag KLWUS_WUA_DISABLE_CONN_TO_INET = 0 Start KSC server service A restart of KSC Server might be required in some cases.
  3. Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. 1) Go to Programs and features and find WebConsole 2) Press Change/uninstall 3) Choose Upgrade mode 4) Follow the wizard and you will be able to change port and list of trusted servers.
  4. If there are many outdated entries in Executable files list in computer's properties or on a server, there is a way to bring it up-to-date. Step-by-step guide There is a hidden Actualization task that runs at the end of the Inventory task. To use this functionality and quickly update the list of executables, do the following: Create an Inventory task Set Inventory scope to either empty or very small folder Run it Since the scope of work is small, the inventory task will be performed much faster and will go straight to the actualization task. After the task is completed, all outdated (not existing at the moment) executables will be removed from the list.
  5. Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. There are multiple fields in database that are not easy to interpret. For example nIP, nStatus and many others. Most of them are from public view v_akpub_host which is one of the main sources of information about managed computer on KSC. The objective of this article is to help understanding the encoding used, if you want to learn more about public views and specific fields refer to klakdb.chm located in the KSC installation folder. nIP When you will query for an IP address the result may surprise you. Instead of IP address you will receive a number, let's say 2130706433, which actually translates to 127.0.0.1. Here is an explanation how this translation is achieved. Number 2130706433 equals 1111111000000000000000000000001‬ in binary. Let's split it into groups of 4 to make it easier to read. 0111 1111.0000 0000.0000 0000.0000 0001 (leading zero is added for visibility). IP address is 4 byte long, which is 32 bits. As you see there are exactly 32 numbers divided into 4 groups called octets. It already starts to look like an IP address. We just need to convert binary back to decimal, while keeping it grouped: 127.0.0.1 The same can be done with the SQL query, here is an example, which returns Computer Name and its IP address in human readable format SELECT wstrDisplayName "Display Name", CAST( ((nIp / 16777216) & 255) AS varchar(4)) + '.' + CAST(((nIp / 65536) & 255) AS varchar(4)) + '.' + CAST(((nIp / 256) & 255) AS varchar(4)) + '.' + CAST(((nIp) & 255) AS varchar(4) ) "IP Address" FROM v_akpub_host; Another good example is the following code which returns host's visibility, nagent installed or not, nagent alive or not and real time protection state: SELECT h.wstrDnsName , h.wstrDisplayName, CAST(((h.nStatus) & 1) AS varchar(1)) as 'Host Visible', CAST(((h.nStatus / 4) & 1) AS varchar(1)) as 'Agent Installed', CAST(((h.nStatus / 8) & 1) AS varchar(1)) as 'Agent Alive', CAST(((h.nStatus / 16) & 1) AS varchar(1)) as 'Protection Installed' FROM v_akpub_host h order by wstrDisplayName MSSQL script to display hosts where KESW firewall component is stopped SELECT v_akpub_host.wstrDisplayName, CAST( ((v_akpub_host.nIp / 16777216) & 255) AS varchar(4)) + '.' + CAST(((v_akpub_host.nIp / 65536) & 255) AS varchar(4)) + '.' + CAST(((v_akpub_host.nIp / 256) & 255) AS varchar(4)) + '.' + CAST(((v_akpub_host.nIp) & 255) AS varchar(4) ) strIp FROM v_akpub_host INNER JOIN v_akpub_prod_comp ON v_akpub_prod_comp.nHostId = v_akpub_host.nId and v_akpub_prod_comp.binId = 0x11CFDA90E1554E2D9415E5384EB6FC25 and v_akpub_prod_comp.nStatus = 1 order by wstrDisplayName nStatus nStatus is another useful parameter stored as decimal integer. The key to understanding is the same, yet in this case each bit (not like in previous case where each 8 bits represented a number in IP address) represents its own aspect of a state. We should treat is as a (binary) bit set, where (information below is from klakdb.chm) : bit 0 is set if host is visible bit 1 is reserved bit 2 is set if Network Agent is installed bit 3 is set if Network Agent is "alive" bit 4 is set if real-time protection is installed For example nStatus equals 29. 29 is 11101 in binary. Remember that binary is read from left to right. In this case the status is as follows: bit 0 equals 1 – that means a bit is set, which in our case means that the host is visible. bit 1 equals 0, but as it is reserved, we just omit it. bit 2 equals 1, so Network Agent is installed on the host. bit 3 equals 1, which means that Network Agent is “alive” – can communicate with SC etc. bit 4 equals 1, so protection (KES, KSWS, etc.) is installed on the host. qwNagentBuild qwNagentBuild stores NAgent version installed on the host as a 64bit value, where every 16 bit word is one number from version. Example: Network Agent 15.1.0.20748, qwNagentBuild = 4222128945647884 (HEX 000F 0001 0000 510C) Word 0 - 510C - 20748 Word 1 - 0000 - 0 Word 2 - 0001 - 1 Word 3 - 000F - 15 Here is an example SQL query to get the version number from this field: Select( CAST(CAST((v_akpub_host.qwNagentBuild / 281474976710656) AS bigint) & 0xFFFF AS varchar) + '.' + CAST(CAST((v_akpub_host.qwNagentBuild / 4294967296) AS bigint) & 0xFFFF AS varchar) + '.' + CAST(CAST((v_akpub_host.qwNagentBuild / 65536) AS bigint) & 0xFFFF AS varchar) + '.' + CAST((v_akpub_host.qwNagentBuild & 0xFFFF) AS varchar)) AS NAversion from v_akpub_host Additional reading To learn more about this data format refer to this article https://en.wikipedia.org/wiki/Endianness
  6. Description Sometimes KSC backup task may fail with the following error: #1181 (-2147023878) System error 0x800703FA (Illegal operation attempted on a registry key that has been marked for deletion.) At first, rebooting the OS may help, but the error may return. Cause The user identity associated with the COM+ application was logged on when the COM+ application was first initialized. If that user logs off, their profile will be unloaded and the COM+ application will no longer be able to read the registry keys in that user's profile. The User Profile Service forcibly unloads a user's profile when the user logs off. In such a situation, forcing a user profile to be unloaded can cause the application to crash if registry handles are not closed. This User Profile Service functionality is the default behavior. Resolution As a workaround, you may need to change the default behavior of the User Profile Service. The "Do not forcefully unload the user registry at user logoff" policy setting controls the default behavior. If this setting is enabled, the User Profile Service will not force an unload of the registry, but will wait until other processes are not using the user's registry before unloading it. The policy can be found in the Group Policy Editor (gpedit.msc). Computer Configuration → Administrative Templates → System → User Profiles Do not forcefully unload the user registry at user logoff Change the setting from Not Configured to Enabled which disables the new User Profile Service feature. DisableForceUnload is the value added to the registry. For more information see MS article https://support.microsoft.com/en-us/help/2287297/a-com-application-may-stop-working-on-windows-server-2008-when-a-user
  7. RDP connection invoked via KSC console uses hostname to connect to a host - mstsc.exe is invoked with /v hostname parameter. Edit command line used to invoke mstsc.exe with ip address parameter instead of the hostname: Open Custom tools → Configure custom tools Select Remote Desktop, click Modify Edit Command line text box, it should contain <host_ip> instead of <A>: /v:<host_ip>:<P> /f Disable Create tunnel for TCP port specified below checkbox Administration Console will now launch mstsc.exe with ip address as argument.
  8. Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This article is about Kaspersky Endpoint Security for Windows (KES for Windows) There are two real-world scenarios related to KES FDE encryption and licensing that often result in unexpected behavior of encrypted devices: FDE encryption is used with the Advanced license and later replaced with the Select license (or any other license without encryption). Encryption license is expired. This is exactly what will happen to encrypted devices in both cases: The files on the encrypted devices will still be accessible. Preboot and preboot account management will still function. Devices can be decrypted using standard procedures. Note that new devices won't be encrypted.
  9. This article describes what is considered a Full Scan, which affects the KSC status "Virus Scan has not been performed for a long time". Scan task area settings There are two ways to set areas for a Scan task. Tasks started with any other settings (including Quick Scan and Critical Area Scan with default settings) will not be considered as a Full Scan. Primary Kernel Memory Running processes and Startup Objects Disk boot sectors Local disk (logical disk where OS is installed) Alternative Kernel Memory Running processes and Startup Objects Disk boot sectors %systemroot%\ %systemroot%\System\ %systemroot%\System32\ %systemroot%\System32\drivers\ %systemroot%\SysWOW64\ %systemroot%\SysWOW64\drivers\ Path is Case-Sensitive in order to support upcoming Windows features. Selecting "including subfolders" is not obligatory. Successful execution of background scan clears the status of managed host 'not scanned for a long time" in KSC console.
  10. Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This article is about Kaspersky Endpoint Security for Windows (KES for Windows) Trojan.Multi.Accesstr detection is triggered when KES detects that one of Windows utilities in %systemroot%\system32 folder is replaced by cmd.exe or powershell.exe. Please see below for a list of affected files with exact detection names. Detection event looks like this: Trojan.Multi.Accesstr object detected in System Memory Result: Untreated: Trojan.Multi.Accesstr.a Reason: Skipped Trojan.Multi.Accesstr.a.ok "%SystemRoot%\\system32\\osk.exe" "%SystemRoot%\\syswow64\\osk.exe" Trojan.Multi.Accesstr.a.mf "%SystemRoot%\\system32\\magnify.exe" "%SystemRoot%\\syswow64\\magnify.exe" Trojan.Multi.Accesstr.a.ds "%SystemRoot%\\system32\\displayswitch.exe" "%SystemRoot%\\syswow64\\displayswitch.exe" Trojan.Multi.Accesstr.a.ab "%SystemRoot%\\system32\\atbroker.exe" "%SystemRoot%\\syswow64\\atbroker.exe" Trojan.Multi.Accesstr.a.um "%SystemRoot%\\system32\\utilman.exe" "%SystemRoot%\\syswow64\\utilman.exe" Trojan.Multi.Accesstr.a.sh "%SystemRoot%\\system32\\sethc.exe" "%SystemRoot%\\syswow64\\sethc.exe" Trojan.Multi.Accesstr.a.ed "%SystemRoot%\\system32\\easeofaccessdialog.exe" "%SystemRoot%\\syswow64\\easeofaccessdialog.exe" Trojan.Multi.Accesstr.a.nr "%SystemRoot%\\system32\\narrator.exe" "%SystemRoot%\\syswow64\\narrator.exe" After attack is detected, KES will try to restore the original files by looking for a backup of the file on the endpoint machine. However backup of these files may be missing from the affected PC, so a manual attempt might be in order. Here's the recommended way to proceed with repairing an affected system manually: Run sfc /scannow If sfc command fails to repair the files, try these steps: run DISM tool by executing DISM /Online /Cleanup-Image /RestoreHealth run sfc /scannow again after DISM finishes If all of the above fails to restore original files or these tools are unavailable for some reason, you can replace the files manually using the list above. Please see relevant Microsoft Docs article for full information on using DISM to repair OS.
  11. Problem Some devices do not have keyboards, but still are detected with BadUSB. Step-by-step guide In order to allow them work properly use BadUSB on-screen keyboard, using other onscreen keyboards or physical ones is not recommended. To open BadUSB on-screen keyboard click on the highlighted text (example for Russian localization). Note that Prohibit use of On-Screen Keyboard for authorization of USB devices option should be turned off.
  12. Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This article is about Kaspersky Endpoint Security for Windows (KES for Windows) Outlook add-in failure may be related to a KES upgrade. Step-by-step guide As the first step to quickly fix majority of the issues with Outlook add-in, unregister it and register again. Here is how to do it properly: Close Outlook if opened. Execute regsvr32 /u <product_folder>/mcou.dll regsvr32 /u <product_folder>/x64/mcou.dll Delete all keys like HKLM\SOFTWARE\(Wow6432Node)\Microsoft\Office\Outlook\Addins\OutlookKLAvPlg.Addin* Execute regsvr32 <product_folder>/mcou.dll regsvr32 <product_folder>/x64/mcou.dll Open MS Outlook, go to File\ Options\ Add-ins\ field "Manage:", value "COM Add-ins", press button "Go..."\ window "COM Add-ins" Make sure the Kaspersky Outlook Anti-Virus Addin checkbox is selected. Don't forget to specify paths to existing files by checking them beforehand.
  13. Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This article is about Kaspersky Endpoint Security for Windows (KES for Windows) Testing Network Threat Protection (NTP, Network Attack Blocker or NAB) may appear tricky, as it is finely tuned to specific attacks only. During past years many detections were modified or removed to prevent major false detections. It is necessary to understand that NTP is not intended to prevent the following types of attacks: DoS Information Disclosure (port scanning) There are different solutions on the market to deal with that. Our NTP mostly prevents network vulnerabilities exploits, which are far more dangerous, as they may allow remote code execution. For example, DoS inside the network is less probable. And if it is happening, then it indicates grater issues. There are multiple approaches to test it. The list contains various 3rd party methods. Metasploit module ms08_067_netapi will be detected as Intrusion.Win.MS08-67.exploit.* Metasploit modules ms17_010_eternalblue and ms17_010_psexec will be detected as Intrusion.Win.MS17-010.* Emulate RDP Brutforce attack using hydra utility which will be detected as Bruteforce.Generic.Rdp.*. Here is a syntax example: hydra -v -f -L rockyou.txt -P rockyou.txt rdp://192.168.0.1
  14. Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This article is about Kaspersky Endpoint Security for Windows (KES for Windows) In cases when Bitlocker encryption of a certain volume is started using KES Bitlocker management, and the product returns the following error: Event type: The policy can not be applied. Action: Encryption Reason: The system drive is not compatible with the Microsoft BitLocker encryption. Type of encryption: disk encryption User: .... and the same error is being logged in the Kaspersky Event Log as well, the following data should be collected in order to troubleshoot the issue. Step-by-step guide KES runtime traces collected during the error registration. Run KES product, turn traces on. Run "avp.com PBATESTRESET" command. Restart the product. Retry disk encryption and verify that the error has been logged again. Stop collecting traces and provide them for analysis. Output of the following commands: - manage-bde -status - wmic /namespace:\\ROOT\CIMV2\Security\MicrosoftVolumeEncryption path Win32_EncryptableVolume GET from the client host in question. Listed commands should be executed in the elevated command prompt. GSI https://support.kaspersky.com/common/diagnostics/3632
  15. Problem Application category based on the "Metadata" conditions created, but does not work. Solution This is expected behavior, in case the file does not have a digital signature, that can be trusted by local KES on the host in question, or is not known in KSN. Use sigcheck tool to see if the file has a valid digital signature – https://technet.microsoft.com/ru-ru/sysinternals/bb897441.aspx Use other criteria, to determine the category (for example file hash). Add to KSN the necessary file by writing a request to KL.
  16. Issue During initial deployments you may encounter errors like this: Jun 3 12:50:13 ksmg postfix/smtpd[841]: NOQUEUE: reject: RCPT from ksmg.example.com[10.10.10.1]: 450 4.1.2 <test@example.com>: Recipient address rejected: Domain not found; from=<test@example.com> to=<test@example.com> proto=ESMTP helo=<example.com> This means that the recipient domain could not be verified in DNS. Solution There are multiple ways to avoid it: create a proper DNS records for the mentioned domain on the DNS server that is used by KSMG configure to use a different DNS server that has proper records just disable this check in Settings -> MTA -> Advanced Settings -> Reject messages for unknown recipient domains When that check is enable, requests are rejected, when the RCPT TO domain has no DNS MX and no DNS A record a malformed MX record (a record with a zero-length MX hostname)
  17. Problem Currently KSMG has IPv6 support enabled in Postfix: inet_protocols = all However, Postfix 2.6 has a known limitation: http://www.postfix.org/IPV6_README.html "Postfix SMTP clients before version 2.8 try to connect over IPv6 before trying IPv4. With more recent Postfix versions, the order of IPv6 versus IPv4 outgoing connection attempts is configurable with the smtp_address_preference parameter. " http://www.postfix.org/postconf.5.html#inet_protocols "Postfix versions before 2.8 attempt to connect via IPv6 before attempting to use IPv4. " Solution Disable IPv6 to evade limitation by configuring: KSMG1.1 inet_protocols = ipv4 in both /opt/kaspersky/klms-appliance-addon/share/templates/main.cf.template and /etc/postfix/main.cf and restarting Postfix afterwards: systemctl restart postfix KSMG2.0 inet_protocols = ipv4 in /opt/kaspersky/ksmg-appliance-addon/share/templates/main.cf.template Then change any setting in Web-UI Settings - Build-In MTA - Basic settings. You can change value of Message size limit (bytes) by 1
  18. This article explains ROBOT attack, RSA Key Exchange, OpenSSL and KSC. Explanation If you are running security analyzer and it shows that connections on ports 13000 (server-nagent traffic) and 17000 (activation proxy) are suspicious for a ROBOT attack, don't panic. Automatic analysis is not accurate. Run specific diagnostics to make sure that KSC traffic is actually not vulnerable. Examples: https://testssl.sh/ https://github.com/robotattackorg/robot-detect Check https://mta.openssl.org/pipermail/openssl-dev/2017-December/009887.html that ROBOT attack site is referencing. It states that "We're mostly focused on non-timing issues and OpenSSL is not among the vulnerable implementations", although OpenSSL uses RSA Key Exchange. More information What is ROBOT attack – https://robotattack.org/
  19. General information on ConnectWise Manage integration can be found in online help. Enabling and disabling tracing You may have to save traces of Kaspersky Security Integration with Tigerpaw, for example, if you contact Technical Support and they ask you to provide the traces for diagnostics and troubleshooting. It is recommended to disable tracing when the issue is resolved, as tracing requires additional resources and additional memory to store trace files. It is also recommended to remove the trace files from your computer, when the issue, which required tracing, is resolved, because the trace files may contain personal and confidential data. By default, tracing is disabled. There are two ways of enabling and disabling tracing for Kaspersky Security Integration with Tigerpaw components: Using the Microsoft Windows Registry. In the .config files of Kaspersky Security Integration with Tigerpaw components. Enabling and disabling tracing using the Registry You can enable and disable tracing using the Microsoft Windows Registry. To enable or disable tracing: Before editing the Windows Registry, it is recommended that you back up the Registry. Click the Start button. In the Start menu, either in the Run box or the Search box, type regedit and press Enter. The Registry Editor window opens. If you have restricted access to the Windows computer you are logged into, you might not be able to access the Registry. In the Registry Editor window, navigate to the Kaspersky Security Integration Service for MSP or Kaspersky Security Integration Tool for MSP registry key. They are available by one of the following paths: Kaspersky Security Integration Service for MSP HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Kaspersky Security Integration Service for MSP HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Kaspersky Security Integration Service for MSP Kaspersky Security Integration Tool for MSP If the Kaspersky Security Integration Tool for MSP registry key is not displayed, either run the Kaspersky Security Integration Tool for MSP as administrator (by right-clicking the application icon and selecting Run as administrator in the context menu), or create the registry key manually. HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Kaspersky Security Integration Tool for MSP HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Kaspersky Security Integration Tool for MSP Edit the value of the EnableTraces parameter as follows: 1—To enable tracing. 0—To disable tracing. Click OK in the Edit window to save your changes. Close the Registry Editor window. The trace files are saved to the .log files in the application installation folder: For Kaspersky Security Integration Tool for MSP the file is IntegrationUI.log, by default saved to the C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Tool for MSP folder. For Kaspersky Security Integration Service for MSP the file is IntegrationServer.log, by default stored in the C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Service for MSP folder. When you uninstall Kaspersky Security Integration Tool for MSP and Kaspersky Security Integration Service for MSP, the trace files are removed together with the application. Enabling and disabling tracing using the .config files You can enable and disable tracing in the .config files of Kaspersky Security Integration Tool for MSP and Kaspersky Security Integration Service for MSP, which are stored in the installation folders of the corresponding products. To enable or disable tracing: Navigate to the .config file of the Kaspersky Security Integration with Tigerpaw component for which you want to enable or disable tracing. The .config file is stored in the installation folder. By default, the navigation paths are: For Kaspersky Security Integration Tool for MSP the file is IntegrationUI.exe.config, by default stored in the C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Tool for MSP folder. For Kaspersky Security Integration Service for MSP the file is IntegrationServer.exe.config, by default stored in the C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Service for MSP folder. Open the .config file with any text editor and change the value of the minlevel attribute of the logger element as follows: To enable tracing, set the value of the minlevel attribute to Debug. <logger name="MSPIntegration.*" writeTo="fileTarget" minlevel="Debug" /> To disable tracing, set the value of the minlevel attribute to Off. <logger name="MSPIntegration.*" writeTo="fileTarget" minlevel="Off" /> Save and close the modified .config file. The trace files are saved to the .log files in the application installation folder: For Kaspersky Security Integration Tool for MSP the file is IntegrationUI.log, by default saved to the C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Tool for MSP folder. For Kaspersky Security Integration Service for MSP the file is IntegrationServer.log, by default stored in the C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Service for MSP folder. When you uninstall Kaspersky Security Integration Tool for MSP and Kaspersky Security Integration Service for MSP, the trace files are removed together with the application.
  20. General information on ConnectWise Manage integration can be found in online help. Enabling and disabling tracing You may have to save traces of Kaspersky Security Integration with Autotask, for example, if you contact Technical Support and they ask you to provide the traces for diagnostics and troubleshooting. It is recommended to disable tracing when the issue is resolved, as tracing requires additional resources and additional memory to store trace files. It is also recommended to remove the trace files from your computer, when the issue, which required tracing, is resolved, because the trace files may contain personal and confidential data. By default, tracing is disabled. There are two ways of enabling and disabling tracing for Kaspersky Security Integration with Autotask components: Using the Microsoft Windows Registry. In the .config files of Kaspersky Security Integration with Autotask components. Enabling and disabling tracing using the Registry You can enable and disable tracing using the Microsoft Windows Registry. To enable or disable tracing: Before editing the Windows Registry, it is recommended that you back up the Registry. Click the Start button. In the Start menu, either in the Run box or the Search box, type regedit and press Enter. The Registry Editor window opens. If you have restricted access to the Windows computer you are logged into, you might not be able to access the Registry. In the Registry Editor window, navigate to the Kaspersky Security Integration Service for MSP or Kaspersky Security Integration Tool for MSP registry key. They are available by one of the following paths: Kaspersky Security Integration Service for MSP HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Kaspersky Security Integration Service for MSP HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Kaspersky Security Integration Service for MSP Kaspersky Security Integration Tool for MSP If the Kaspersky Security Integration Tool for MSP registry key is not displayed, either run the Kaspersky Security Integration Tool for MSP as administrator (by right-clicking the application icon and selecting Run as administrator in the context menu), or create the registry key manually. HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Kaspersky Security Integration Tool for MSP HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Kaspersky Security Integration Tool for MSP Edit the value of the EnableTraces parameter as follows: 1—To enable tracing. 0—To disable tracing. Click OK in the Edit window to save your changes. Close the Registry Editor window. The trace files are saved to the .log files in the application installation folder: For Kaspersky Security Integration Tool for MSP the file is IntegrationUI.log, by default saved to the C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Tool for MSP folder. For Kaspersky Security Integration Service for MSP the file is IntegrationServer.log, by default stored in the C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Service for MSP folder. When you uninstall Kaspersky Security Integration Tool for MSP and Kaspersky Security Integration Service for MSP, the trace files are removed together with the application. Enabling and disabling tracing using the .config files You can enable and disable tracing in the .config files of Kaspersky Security Integration Tool for MSP and Kaspersky Security Integration Service for MSP, which are stored in the installation folders of the corresponding products. To enable or disable tracing: Navigate to the .config file of the Kaspersky Security Integration with Autotask component for which you want to enable or disable tracing. The .config file is stored in the installation folder. By default, the navigation paths are: For Kaspersky Security Integration Tool for MSP the file is IntegrationUI.exe.config, by default stored in the C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Tool for MSP folder. For Kaspersky Security Integration Service for MSP the file is IntegrationServer.exe.config, by default stored in the C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Service for MSP folder. Open the .config file with any text editor and change the value of the minlevel attribute of the logger element as follows: To enable tracing, set the value of the minlevel attribute to Debug. <logger name="MSPIntegration.*" writeTo="fileTarget" minlevel="Debug" /> To disable tracing, set the value of the minlevel attribute to Off. <logger name="MSPIntegration.*" writeTo="fileTarget" minlevel="Off" /> Save and close the modified .config file. The trace files are saved to the .log files in the application installation folder: For Kaspersky Security Integration Tool for MSP the file is IntegrationUI.log, by default saved to the C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Tool for MSP folder. For Kaspersky Security Integration Service for MSP the file is IntegrationServer.log, by default stored in the C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Integration Service for MSP folder. When you uninstall Kaspersky Security Integration Tool for MSP and Kaspersky Security Integration Service for MSP, the trace files are removed together with the application.
  21. Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. When running security analyzers on KSC server you may occasionally get warnings about outdated OpenSSL libraries. Normally these vulnerabilities can not be exploited as the OpenSSL library is used in a very specific way. If vulnerable OpenSSL libraries were found in C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\protcomp then there is actually no way to exploit it. Due to this fact this library is usually updated with major releases of KSC. What is protcomp Protcomp is a common code used by the following KSC components. vapm: searches for vulnerabilities, local service, does not establish connections (all information transferred to the server via NAgent traffic); up2date: does not work with SSL; klfc: application categorization, local service, does not establish connections; ksnproxy: establishes network connection, but does not use Open SSL; cm_um: encryption, local encryption service, does not establish connections. Why OpenSSL is used Open SSL has non-networking functions like randomizer and encryption.
  22. General information on ConnectWise Automate integration can be found in online help. LabTech service logs You can access service logs on a LabTech server by launching LabTech Control Center and then navigating to Dashboard → Management → Service Logs. Then select Go To Computer and select LabTech server. To view diagnostic info for managed client hosts you should first refresh the information by clicking Commands → LabTech →Send LabTech Error Log. On both LabTech servers and client hosts diagnostic information is stored in a file C:\Windows\LTSvc\LTErrors.txt. The file is truncated whenever you click Send LatTech Error Log. Plugin for LabTech integration logs Plugin diagnostic information is stored in C:\Windows\Temp\KasperskyPluginLogs\KasperskyPlugin.txt. This log is automatically rotated - after reaching 1MB the file is moved to an archive and new log is written to the same file. There is a limit of 10 archives. Upon reaching the limit the oldest archive is overwritten every time a new archive is created.
  23. General information on ConnectWise Manage integration can be found in online help. Kaspersky Security Integration Service for MSP log To collect diagnostic log for Kaspersky Security Integration Service for MSP you need to take the following steps: Navigate to C:\Program Files\Kaspersky Lab\Kaspersky Security Integration Service for MSP; Open file IntegrationServer.exe.config Set minlevel attribute to "Debug": <rules> <logger name="MSPIntegration.*" writeTo="fileTarget" minlevel="Debug" /> </rules> To enable traces via registry key you have to take the following steps: In the Registry Editor window, navigate to the Kaspersky Security Integration Service for MSP: HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Kaspersky Security Integration Service for MSP or HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Kaspersky Security Integration Service for MSP Set the value of the EnableTraces parameter to 0 to turn off tracing, or to 1 to enable tracing Diagnostic log will be written to a file named IntegrationServer.log. If you restart Integration Service for MSP service the new log records will be appended to the same file. Kaspersky Security Integration Tool for MSP To collect diagnostic log for Kaspersky Security Integration Tool for MSP you need to take the following steps: Navigate to C:\Program Files\Kaspersky Lab\Kaspersky Security Integration Tool for MSP; Open file IntegrationUI.exe.config Set minlevel attribute to "Debug": <rules> <logger name="MSPIntegration.*" writeTo="fileTarget" minlevel="Debug" /> </rules> To enable traces via registry key you have to take the following steps: In the Registry Editor window, navigate to the Kaspersky Security Integration Tool for MSP: HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Kaspersky Security Integration Tool for MSP or HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Kaspersky Security Integration Tool for MSP Set the value of the EnableTraces parameter to 0 to turn off tracing, or to 1 to enable tracing Diagnostic log will be written to a file named IntegrationUI.log. If you close and reopen Integration Tool for MSP window the new log records will be appended to the same file. Integration components installation logs Installation logs are always written to four files in c:\windows\temp: $klssinstlib.log $akinstlib.txt $msp_msi*.log $msp_setup*.log
  24. This article is about Kaspersky Security Center for Windows (KSC for Windows) In this article we will share the steps on how run a .bat file remotely through Kaspersky Security Center (KSC). How to execute a batch file on the remote hosts Create an installation package based on a file Create a remote installation task for that Installation package Assign the task to a target hosts and start it During task execution NAgent will run the file using a 32-bit cmd.exe process (C:\Windows\SysWOW64\cmd.exe) under LocalSystem account. Limitations Some commands and programs Do not support execution under LocalSystem account. Are not recognized as internal (external) for 32-bit cmd, thus can not be started from 32-bit cmd.exe process. How to execute batch file using 64-bit cmd.exe process: Add symbolic link to 64-bit cmd.exe in the script Run all cmdlets using this symlink Example REM the following creates symlink named cmdin64.exe to C:\Windows\System32\cmd.exe cmd.exe /c mklink cmdin64.exe "C:\Windows\System32\cmd.exe" REM next line starts uwfmgr.exe with , which is not recognized as internal or external for 32-bit cmd.exe cmdin64.exe /c uwfmgr.exe Using x64 versions of commands. For example, to import .reg file you need to create the following bat file: Example echo off reg add <reg file> /reg:64 You can find x64 versions of the commands online.
  25. Step-by-step guide Open KSWS policy Navigate to "User rights" section Under "Configure application management section" press "Settings" button In the "Permissions for Kaspersky Security" window press "Advanced" button Select necessary user or group -> press "Edit" button -> press "Show advanced permissions" In the "Permissions Entry for Kaspersky Security" window unselect "Uninstall Kaspersky Security", make sure that Type is set to "Allow" Switch Type to "Deny" -> click "Clear all" button -> Select "Uninstall Kaspersky Security" In the pop-up "Windows Security" window select "Yes" If security administrator will try to uninstall KSWS he'll receive the following error message If you'll apply this settings for KSC\Administrators, then you might lose the list of current KSWS management users.
  26. Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Sometimes it's not clear how KSC assigns Distribution Point (DP) for Managed groups or NLA subnets, and how clients choose DP. Automatic assignment of distribution points is enabled in Kaspersky Security Center by default. The Administration Server automatically selects the scopes for distribution points, and assigns one or multiple distribution points to each scope depending on how many client computers it includes. The Administration Server first considers how many managed computers it has in total. If there are fewer than 300, the Administration Server does not assign distribution points automatically. If there were more than 300 but later they decreased to fewer than 300, the server does not stop automatic assignment. Automatic assignment stops only if the total number of managed computers becomes fewer than 200. Then all (remaining) automatically assigned distribution points become ordinary managed computers. If automatic assignment is active (not just enabled but the number of endpoints is also above the threshold), the KSC Server selects which scopes to assign to distribution points, and then selects one or multiple distribution points for each scope depending on the number of managed computers in the scope. Kaspersky Security Center can assign distribution points to three types of scopes: Administration groups Broadcast domains Network locations Administration groups and network locations are structures defined in the Kaspersky Security Center Console. A broadcast domain is a logical division of a computer network in which all endpoints can exchange data by broadcasting at the data link layer of the OSI network model. Kaspersky Security Center can automatically assign distribution points either to groups or to broadcast domains. An administrator can manually assign a distribution point to a group or network location. The Administration Server attempts to define broadcast domains for all endpoints of the network. This is an automatic process that is performed in the background and takes multiple hours depending on the network’s specifics. Until the KSC Server defines a broadcast domain for 70% of endpoints in the network, it assigns distribution points to groups. As soon as the percentage of endpoints whose broadcast domain is known exceeds 70%, the KSC Server begins to assign distribution points to broadcast domains. The type of scope changes only once and is irreversible. Regardless of the currently used scope type, the Administration Server looks at the number of endpoints in each scope (in a group without taking its subgroups into account, or in a broadcast domain), and assigns distribution points depending on the number of endpoints in the scope: If there are fewer than 10 endpoints in a scope, a distribution point is not assigned. If there are more than 10 but fewer than 20 endpoints, one distribution point is assigned. If there are more than 20 but fewer than 300 endpoints, two distribution points are assigned. If there are more than 300 but fewer than 600 endpoints, 3 distribution points are assigned. For larger numbers, if there are more than 300 * N endpoints but fewer than 300×(N+1), then N+2 distribution points are assigned. If there are already distribution points in a scope but the number of endpoints has decreased, the KSC Server reduces the number of distribution points in the scope. However, it uses other threshold values: The last distribution point disappears only after fewer than 6 endpoints remain in the scope. One distribution point remains when the number of endpoints in a scope drops below 15. Two distribution points remain when the number of endpoints in a scope drops below 200. Three distribution points remain when the number of endpoints in a scope drops below 400. For larger numbers, N-1 distribution points remain when the number of endpoints in a scope drops below 200×(N-2). This mechanism in which a second distribution point is added after reaching 20 endpoints in a scope but is removed when the number of endpoints drops below 15 is designed to protect against over-frequent reassignment of distribution points. The KSC Server reviews scopes and could potentially assign or unassign a distribution point every hour. How to monitor auto-assignment of Distribution Points: You can create Report on activity of Distribution Points. You can use Search: in Network activity tab select YES for the "This device is a distribution point" condition.
  1. Load more activity


×
×
  • Create New...