All Activity

Description and cautions The article shares working example of using KSC API calls for one of the available scenarios - retrieving events, HW and/or SW inventory data. For the Windows version of cURL, you need to specify that the arguments need to be escaped with "\", otherwise there will be an error. For example: 'Authorization: KSCBasic user=\"YXBpLXVzZXI=\", pass=\"cGFzc3dvcmQ=\", internal=\"1\"' Details Prerequisites internal user: api-user Examples: KSC address - 127.0.0.1 (the address can also be external) API Port - 13299 (default) User: api-user (intrental KSC user), base64: YXBpLXVzZXI= Password: password, base64: cGFzc3dvcmQ= Credentials: User Password api-user password Base64: YXBpLXVzZXI= cGFzc3dvcmQ= Authentication, type: Authenticated session, other types: KSC Open API description All requests are in cUrl format, as an alternative it is also possible to use Python library (KlAkOAPI Python package) Login Start connection to KSC (Session::StartSession ) Session::StartSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.StartSession' \ --header 'Authorization: KSCBasic user="YXBpLXVzZXI=", pass="cGFzc3dvcmQ=", internal="1"' Username and password should be encoded to base64 format as part of a secure HTTPS session. For example, https://www.base64encode.org/ can be used for encoding. Response { "PxgRetVal": "nsPbUpP1oAVZlM1lODEbg8A==" } Use below token in request header Find Host Find host by filter string (HostGroup::FindHosts) Filter string contains a condition over host attributes, see also Search filter syntax. We use "KLHST_WKS_DN" - Host display name HostGroup::FindHosts curl --location --request POST "https://127.0.0.1:13299/api/v1.0/HostGroup.FindHosts" --header "X-KSC-Session: nqepy9ZpZZ/2tiWXhil5cBg==" --header "Content-Type: application/json" --data-raw "{ \"vecFieldsToReturn\":[\"KLHST_WKS_HOSTNAME\",\"KLHST_WKS_DN\",\"KLHST_WKS_IP_LONG\",\"KLHST_WKS_PRODUCT_TAG_NAME\",\"KLHST_WKS_RTP_AV_VERSION\",\"KLHST_WKS_NAG_VERSION\",\"KLHST_WKS_LAST_UPDATE\",\"KLHST_WKS_LAST_UPDATE\",\"KLHST_WKS_VIRUS_COUNT\"], \"lMaxLifeTime\":1200, \"wstrFilter\":\"(KLHST_WKS_DN=\\"WIN10-OPTIMUM-1\\")\" #"KLHST_WKS_DN" - Host display name }" Response ID Response {"strAccessor":"ppYeO5rmkvKcMUm8vQzOK2","PxgRetVal":1} Copy Accessor for next request (ChunkAccessor::GetItemsChunk ) ChunkAccessor::GetItemsChunk curl -L -X POST "https://127.0.0.1:13299/api/v1.0/ChunkAccessor.GetItemsChunk" -H "X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg==" -H "Content-Type: application/json" --data-raw "{ \"strAccessor\":\"fb07haDqXIKZbQzyDsMwx1\", \"nStart\": 0, \"nCount\": 100 }" Response info about host: Response {"pChunk":{"KLCSP_ITERATOR_ARRAY":[{"type":"params","value":{"KLHST_WKS_DN":"WIN10-OPTIMUM-1","KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","KLHST_WKS_IP_LONG":{"type":"long","value":172250504},"KLHST_WKS_LAST_UPDATE":{"type":"datetime","value":"2022-02-17T13:00:01Z"},"KLHST_WKS_NAG_VERSION":"13.2.0.1511","KLHST_WKS_RTP_AV_VERSION":"11.7.0.669","KLHST_WKS_VIRUS_COUNT":{"type":"long","value":9}}}]},"PxgRetVal":1} Copy value "KLHST_WKS_HOSTNAME" for user in the next request Hardware Inventory SrvView Find srvview data by filter string (SrvView::ResetIterator) "wstrViewName" - see List of supported srvviews. "vecFieldsToReturn" - see https://support.kaspersky.com/help/KSC/13.1/KSCAPI/a00307.html "wstrFilter":"(KLHST_WKS_HOSTNAME=\"c0816918-fbc5-4fbc-8fed-6f245756120e\")" SrvView::ResetIterator curl -L -X POST "https://127.0.0.1:13299/api/v1.0/SrvView.ResetIterator" -H "X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg==" -H "Content-Type: application/json" --data-raw "{ \"wstrViewName\":\"HWInvPCSrvViewName\", \"vecFieldsToReturn\":[\"KLHST_WKS_HOSTNAME\",\"dev_id\",\"RamType\",\"dev_type\"], \"vecFieldsToOrder\":[{\"type\":\"params\",\"value\":{\"Name\":\"dev_id\",\"Asc\":\"true\"}}], \"lifetimeSec\":100, \"pParams\":{\"TOP_N\":\"yes\",\"USE_DISTINCT\":\"true\"}, \"wstrFilter\":\"(KLHST_WKS_HOSTNAME=\\"c0816918-fbc5-4fbc-8fed-6f245756120e\\")\" # KLHST_WKS_HOSTNAME from the previous request }" Response ID Response {"wstrIteratorId":"466579A79FA755D69B94EC60A5B04744"} GetRecordRange from Response data (SrvView.GetRecordRange ) SrvView.GetRecordRange curl -L -X POST "https://127.0.0.1:13299/api/v1.0/SrvView.GetRecordRange" -H "X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg==" -H "Content-Type: application/json" --data-raw "{ \"wstrIteratorId\":\"50054D2A2D7A93DCEBFA3BE6F7E21D5E\", \"nStart\": 0, \"nEnd\": 100 }" Response info about hardware with specific filter: Response {"pRecords":{"KLCSP_ITERATOR_ARRAY":[{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"ABE3CC21B521C704DA4FC63BD5698F71","dev_type":1}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"DISPLAY\\DEFAULT_MONITOR\\1&1F0C3C2F&0&UID256","dev_type":7}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"DISPLAY\\DEFAULT_MONITOR\\4&31BE19FA&0&UID0","dev_type":7}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"E05564F28A7EBE312D1326FD0D1A8479","dev_type":1}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"E69E8830E7D33F96BF1E21996A7D73CA","dev_type":0}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"PCI\\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\\3&18D45AA6&0&78","dev_type":4}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"PCI\\VEN_8086&DEV_10D3&SUBSYS_07D015AD&REV_00\\005056FFFF87CC6600","dev_type":6}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"Physical Memory 0","dev_type":2}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"SCSI\\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\\5&A629540&0&000000","dev_type":8}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"SCSI\\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\\5&1982005&0&000000","dev_type":3}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"SWD\\REMOTEDISPLAYENUM\\RDPIDD_INDIRECTDISPLAY&SESSIONID_0002","dev_type":4}}]}} Software Inventory Acquire software applications which are installed on specified host. (InventoryApi::GetHostInvProducts) "szwHostId" - WKS_HOSTNAME form previosly request InventoryApi::GetHostInvProducts curl -L -X POST "https://127.0.0.1:13299/api/v1.0/InventoryApi.GetHostInvProducts" -H "X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg==" -H "Content-Type: application/json" --data-raw "{ \"szwHostId\":\"c0816918-fbc5-4fbc-8fed-6f245756120e\", # KLHST_WKS_HOSTNAME from previuosly reqest \"pParams\":{\"KLEVP_EA_PARAM_1\":\"\"} }" Response info about software: Response {"PxgRetVal":{"GNRL_EA_PARAM_1":[{"type":"params","value":{"ARPRegKey":"{F4ECE08F-50E9-44E2-A2F3-2F3C8DDF8E16}","CleanerProductName":"","Comments":"","DisplayName":"Kaspersky Endpoint Security for Windows","DisplayVersion":"11.7.0.669","HelpLink":"https://click.kaspersky.com/?hl=en&link=support&pid=kes&version=21.4.20.669","HelpTelephone":"","InstallDate":"20211002","InstallDir":"C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\\","InstanceID":{"type":"binary","value":"AA=="},"LangId":1033,"PackageCode":"","ProductID":"4E8A2680B3C78565814848DB5ED35C83","Publisher":"AO Kaspersky Lab","QuietUninstallString":"msiexec.exe /X {F4ECE08F-50E9-44E2-A2F3-2F3C8DDF8E16} /quiet /norestart","UninstallString":"msiexec.exe /x {F4ECE08F-50E9-44E2-A2F3-2F3C8DDF8E16}","VapmBuild":{"type":"long","value":0},"bIsMsi":true}},{"type":"params","value":{"ARPRegKey":"{8c3f057e-d6a6-4338-ac6a-f1c795a6577b}","CleanerProductName":"","Comments":"","DisplayName":"Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.20.27508","DisplayVersion":"14.20.27508.1","HelpLink":"","HelpTelephone":"","InstallDate":"20210512","InstallDir":"","InstanceID":{"type":"binary","value":"AA=="},"LangId":0,"PackageCode":"","ProductID":"2E30B54FFAFE11F6DEDB0A31EA8CD6D1","Publisher":"Microsoft Corporation","QuietUninstallString":"\"C:\\ProgramData\\Package Cache\\{8c3f057e-d6a6-4338-ac6a-f1c795a6577b}\\VC_redist.x86.exe\" /uninstall /quiet","UninstallString":"\"C:\\ProgramData\\Package Cache\\{8c3f057e-d6a6-4338-ac6a-f1c795a6577b}\\VC_redist.x86.exe\" /uninstall","VapmBuild":{"type":"long","value":0},"bIsMsi":false}}, ....... Tasks Operations #strTask - open task in nmc-web-console - 1326 (for example: https://localhost:8080/#/management/tasks/148) Get Task Acquire attributes of specified task. (Tasks::GetTask) Response Response {"PxgRetVal":{"DisplayName":"KEA - Isolation ON","PRTS_TASK_CREATION_DATE":{"type":"datetime","value":"2022-02-10T13:57:34Z"},"TASKID_PRODUCT_NAME":"1093","TASKID_VERSION":"1.0.0.0","TASK_NAME":"Remote Installation","TASK_UNIQUE_ID":"1326"}} Run task Run remote installation task. Start specified task. Tasks::RunTask curl -L -X POST "https://127.0.0.1:13299/api/v1.0/Tasks.RunTask" -H "X-KSC-Session: nGPT3zYhYOveOJ9qnbRAjpQ==" -H "Content-Type: application/json" --data-raw "{ \"strTask\":\"1326\" # From NWC-web-cosnole ksc }" Update Task Get Data Task Acquire task settings. Tasks::GetTaskData GetData Task curl -L -X POST "https://localhost:13299/api/v1.0/Tasks.RunTask" -H "X-KSC-Session: nGPT3zYhYOveOJ9qnbRAjpQ==" -H "Content-Type: application/json" --data-raw "{ \"strTask\":\"1326\" }" Response all parameters and some of them we must use in next request. Modify task settings. Tasks::UpdateTask Update Task POST /api/v1.0/Tasks.UpdateTask HTTP/1.1 Host: localhost:13299 X-KSC-Session: n8quj71CtoWbYijcBHY6FvA== Content-Type: application/json Content-Length: 3477 { "strTask":"1338", "pData":{ "TASKID_COMPONENT_NAME":"87", "TASKID_PRODUCT_NAME":"1093", "TASKID_VERSION":"1.0.0.0", "TASK_NAME":"Remote Installation", "TASKSCH_TYPE":0, "TASK_ADDITIONAL_PARAMS":{"type":"params","value":{"KLNAG_TASK_REMOTE_INSTALL_ACCOUNT":"","KLNAG_TASK_REMOTE_INSTALL_ACCOUNT_PSWD":{"type":"binary","value":""},"KLSRV_COUPLED_NAGT_TSID":"9066e3c9-c709-434f-9196-88dcf4c70c23","KLTSK_RI_CHECK_OS":true,"KLTSK_RI_GROUP_TO_MOVE_HOST":-1,"KLTSK_RI_MAX_DOWNLOADS":5,"KLTSK_RI_MGD_BY_OTHER_SERVER":0,"KLTSK_RI_PACKAGES_GUIDS":["e71217d1-4a96-462c-a56a-6112bdc5369b:65"],"KLTSK_RI_PACKAGES_IDS":[65],"KLTSK_RI_ROOT":{"type":"binary","value":""},"KLTSK_RI_SKIP_PRESENT_PRODS":true,"KLTSK_RI_TMP_FOLDER":"","KLTSK_RI_USE_NAGENT":true,"KLTSK_RI_USE_SHARE":true,"KLTSK_RI_USE_SHARE_SRV":true,"KLTSK_RI_USE_SHARE_UA":false,"MaxTryCount":3,"UseGPO":false,"klprts-TaskAccountUser":"","klprts-TaskAccounts":[],"klprts-TaskMaxRunningTime":7200000,"klprts-TaskStorageId":"dd64d20d-c529-4d47-a854-38c1c2c77a77"}}, "PRTS_TASK_GROUPID":-1, ".HstQueryId":0, "TASK_INFO_PARAMS":{"type":"params","value":{"DisplayName":"KEA - Isolation ON for specific host","HostList":[{"type":"params","value":{"HostDispName":"WIN10-KES-11OLD","HostName":"6294f978-292d-4b5f-aa57-bb429147687b","Preliminary":false}},{"type":"params","value":{"HostDispName":"ATM-01","HostName":"ba973373-8120-47a0-9989-686cba2430af","Preliminary":false}}],"KLEVP_NOTIFICATION_DESCR_ID":"9b84b28a-e47b-4120-8147-bb67fef681ea","KLPRSS_EVPNotifications":{"type":"params","value":{"ERR":[{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}],"INF":[{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":2}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLEVP_GroupTaskSyncState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":4}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":1}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}],"WRN":[{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}]}},"KLSRV_PRTS_TASK_ENABLED_FLAG":true,"KLTSK_ALLOW_AUTO_RANDOMIZATION":true,"PRTS_TASK_CREATION_DATE":{"type":"datetime","value":"2022-02-15T11:40:43Z"},"PRTS_TASK_GROUPID":-1,"PRTS_TASK_TARGET_COMPUTERS_TYPE":0,"klprts-DontApplyToSlaveServers":true,"klprts-TaskMaxRunningTime":7200000,"klprts-TaskScheduleSubtype":256,"klprts-TaskScheduleSubtypeEx":0}} } } Change values for HostList and enter specific host. For example: "HostList":[{"type":"params","value":{"HostDispName":"WIN10-KES-11OLD","HostName":"6294f978-292d-4b5f-aa57-bb429147687b","Preliminary":false}},{"type":"params","value":{"HostDispName":"ATM-01","HostName":"ba973373-8120-47a0-9989-686cba2430af","Preliminary":false}}] { "strTask":"1338", "pData":{ "TASKID_COMPONENT_NAME":"87", "TASKID_PRODUCT_NAME":"1093", "TASKID_VERSION":"1.0.0.0", "TASK_NAME":"Remote Installation", "TASKSCH_TYPE":0, "TASK_ADDITIONAL_PARAMS":{"type":"params","value":{"KLNAG_TASK_REMOTE_INSTALL_ACCOUNT":"","KLNAG_TASK_REMOTE_INSTALL_ACCOUNT_PSWD":{"type":"binary","value":""},"KLSRV_COUPLED_NAGT_TSID":"9066e3c9-c709-434f-9196-88dcf4c70c23","KLTSK_RI_CHECK_OS":true,"KLTSK_RI_GROUP_TO_MOVE_HOST":-1,"KLTSK_RI_MAX_DOWNLOADS":5,"KLTSK_RI_MGD_BY_OTHER_SERVER":0,"KLTSK_RI_PACKAGES_GUIDS":["e71217d1-4a96-462c-a56a-6112bdc5369b:65"],"KLTSK_RI_PACKAGES_IDS":[65],"KLTSK_RI_ROOT":{"type":"binary","value":""},"KLTSK_RI_SKIP_PRESENT_PRODS":true,"KLTSK_RI_TMP_FOLDER":"","KLTSK_RI_USE_NAGENT":true,"KLTSK_RI_USE_SHARE":true,"KLTSK_RI_USE_SHARE_SRV":true,"KLTSK_RI_USE_SHARE_UA":false,"MaxTryCount":3,"UseGPO":false,"klprts-TaskAccountUser":"","klprts-TaskAccounts":[],"klprts-TaskMaxRunningTime":7200000,"klprts-TaskStorageId":"dd64d20d-c529-4d47-a854-38c1c2c77a77"}}, "PRTS_TASK_GROUPID":-1, ".HstQueryId":0, "TASK_INFO_PARAMS":{"type":"params","value":{"DisplayName":"KEA - Isolation ON for specific host","HostList":[{"type":"params","value":{"HostDispName":"WIN10-KES-11OLD","HostName":"6294f978-292d-4b5f-aa57-bb429147687b","Preliminary":false}},{"type":"params","value":{"HostDispName":"ATM-01","HostName":"ba973373-8120-47a0-9989-686cba2430af","Preliminary":false}}],"KLEVP_NOTIFICATION_DESCR_ID":"9b84b28a-e47b-4120-8147-bb67fef681ea","KLPRSS_EVPNotifications":{"type":"params","value":{"ERR":[{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}],"INF":[{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":2}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLEVP_GroupTaskSyncState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":4}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":1}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}],"WRN":[{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}]}},"KLSRV_PRTS_TASK_ENABLED_FLAG":true,"KLTSK_ALLOW_AUTO_RANDOMIZATION":true,"PRTS_TASK_CREATION_DATE":{"type":"datetime","value":"2022-02-15T11:40:43Z"},"PRTS_TASK_GROUPID":-1,"PRTS_TASK_TARGET_COMPUTERS_TYPE":0,"klprts-DontApplyToSlaveServers":true,"klprts-TaskMaxRunningTime":7200000,"klprts-TaskScheduleSubtype":256,"klprts-TaskScheduleSubtypeEx":0}} } } Run Task Host Events Create event processing iterator with filter (EventProcessingFactory::CreateEventProcessing2 ) pFilter (params) object containing values for attributes to filter events. Only events with matching attribute values will be returned. If empty all events will be returned. See List of event filter attributes for attribute names. "GNRL_EA_SEVERITY" paramInt Event severity. May have the following values: 0 - Constant to be used as invalid event severity value 1 - Severity "Information" 2 - Severity "Warning" 3 - Severity "Error" 4 - Severity "Critical" vecFieldsToReturn (array) array of attribute names to return. See List of event attributes for attribute names #host id - FindHost EventProcessingFactory::CreateEventProcessing2) POST /api/v1.0/EventProcessingFactory.CreateEventProcessing2 HTTP/1.1 Host: localhost:13299 X-KSC-Session: nvLZ4Hwi5VAL7XIiMwPaxPw== Content-Type: application/json Content-Length: 440 { "pFilter": { "KLEVP_EVENT_HOST":"a537ddc0-b84b-488a-993c-9f76e62036e9", #host id "GNRL_EA_SEVERITY":4 #Critical Event }, "vecFieldsToReturn": [ "GNRL_EA_SEVERITY", "event_db_id", "rise_time", "hostname", "event_type", "event_type_display_name", "GNRL_EA_DESCRIPTION", "group_id", "group_name" ], "vecFieldsToOrder": [], "lifetimeSec": 1000 } Response ID Response {"strIteratorId":"A07B69A5347CF435DB66C0FA826371FF"} Get result from Response data ( ReportManager::GetStatisticsData) : EventProcessing::GetRecordRange curl --location --request POST 'https://localhost:13299/api/v1.0/EventProcessing.GetRecordRange' --header 'X-KSC-Session: nT0T9KvkIKlgHGGaZ60j38Q==' --header 'Content-Type: application/json' --data-raw '{ "strIteratorId":"A07B69A5347CF435DB66C0FA826371FF", "nStart": 0, "nEnd": 100 }' Response critical events: Response {"pParamsEvents":{"KLEVP_EVENT_RANGE_ARRAY":[{"type":"params","value":{"GNRL_EA_DESCRIPTION":"Event type: KSN servers unavailable\r\nName: avp.exe\r\nApplication path: C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\r\nProcess ID: 18446744073709551615\r\nUser: SALES\\markovets (Active user)\r\nComponent: Protection","GNRL_EA_SEVERITY":4,"event_db_id":{"type":"long","value":119829},"event_type":"000007e7","event_type_display_name":"KSN servers unavailable","group_id":5,"group_name":"KEDR-O","hostname":"a537ddc0-b84b-488a-993c-9f76e62036e9","rise_time":{"type":"datetime","value":"2022-03-04T09:10:44Z"}}},{"type":"params","value":{"GNRL_EA_DESCRIPTION":"Event type: KSN servers unavailable\r\nName: avp.exe\r\nApplication path: C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\r\nProcess ID: 18446744073709551615\r\nUser: SALES\\markovets (Active user)\r\nComponent: Protection","GNRL_EA_SEVERITY":4,"event_db_id":{"type":"long","value":119818},"event_type":"000007e7","event_type_display_name":"KSN servers unavailable","group_id":5,"group_name":"KEDR-O","hostname":"a537ddc0-b84b-488a-993c-9f76e62036e9","rise_time":{"type":"datetime","value":"2022-03-04T09:05:34Z"}}},{"type":"params","value":{"GNRL_EA_DESCRIPTION":"Event type: KSN servers unavailable\r\nName: avp.exe\r\nApplication path: C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\r\nProcess ID: 18446744073709551615\r\nUser: SALES\\markovets (Active user)\r\nComponent: Protection","GNRL_EA_SEVERITY":4,"event_db_id":{"type":"long","value":119807},"event_type":"000007e7","event_type_display_name":"KSN servers unavailable","group_id":5,"group_name":"KEDR-O","hostname":"a537ddc0-b84b-488a-993c-9f76e62036e9","rise_time":{"type":"datetime",........ Close Session to KSC (Session::EndSession) : Session::EndSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.EndSession' --header 'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A==' #PxgRetVal from Session.StartSession

Description and cautions Sometimes you may need KWTS to write syslog messages to different log's name or/and path. We're talking about this setting: Steps below were performed on Centos 7+ x64 and Ubuntu 20.04/22.04 x64 KWTS 6.1 NOT ISO By default it's set to local1, and depending on OS KWTS writes syslog messages to: 1) CentOS > /var/log/messages 2) Ubuntu > /var/log/syslog Details So here's how to change default behavior: Change value on web interface to, for instance, local0 Modify /var/opt/kaspersky/kwts/postgresql/postgresql.conf , so it should look like this: Modify files like this: -For CentOS /etc/rsyslog.conf -For Ubuntu /etc/rsyslog.d/50-default.conf (actually it could be different name, but this one is default for clean installation of Ubuntu) Configure rotation for your /var/log/kwts-syslog.log (name it as you wish) -For CentOS /etc/logrotate.d/syslog, you can just append it to current rotation settings or configure your own parameters (refer to online documentation) -For Ubuntu /etc/logrotate.d/syslog (you can create your own param eters as well) Reboot OS and finally check that KWTS writes syslog messages to your new log with cat /var/log/kwts-syslog.log command.

Problem When user is added to a lot of AD groups, he may be unable to login to web interface of KATA via SSO. Step-by-step guide Modify /etc/opt/kaspersky/apt-swarm/swarm_config.json like this (set buffer_size to 65535 under uwsgi section - it's on bottom of the file) 2. Execute via SSH apt-settings-manager get /configuration/web_backend | python -m json.tool > /tmp/web_backend 3. vim /tmp/web_backend 4. Find uwsgi and change value as per below, save file "uwsgi": { "buffer_size": 65535, "cache2": [ 5. Put settings back apt-settings-manager set /configuration/web_backend @/tmp/web_backend 6. Execute docker ps | grep nginx Output will be similar like this: 39c125e0546e kaspersky/kata/web/nginx_gateway:0e5fabb Write down somewhere this value 39c125e0546e (yours will be different). 7. Execute docker exec -it 39c125e0546e bash echo "large_client_header_buffers 8 64k;" > /etc/nginx/conf.d/large_buffers.conf nginx -s reload exit 8. Do the same (6-7) for container web_backend 9. However, if containers web_backend and nginx_gateway will be restarted, changes in 6-7 will be lost, thus you can quickly put back settings like this: docker exec -it `docker ps | grep web_backend | awk '{print $1}'` bash -c 'echo "large_client_header_buffers 8 64k;" > /etc/nginx/conf.d/large_buffers.conf && nginx -s reload' docker exec -it `docker ps | grep nginx_gateway | awk '{print $1}'` bash -c 'echo "large_client_header_buffers 8 64k;" > /etc/nginx/conf.d/large_buffers.conf && nginx -s reload'

Problem Description, Symptoms & Impact When downloading large collects (sandbox-debug-report) exceeding 1Gb in size, download suddenly fails above 1Gb (at ~1 05x xxx KB). Diagnostics Reproducible in all browsers, is not bound to download speed, dowloaded part size is roughly 1Gb Workaround & Solution Workaround: download sandbox-debug-report using SCP and CLI, see https://forum.kaspersky.com/topic/how-to-gather-sandbox-debug-report-from-terminal-katakedre-36851/ Solution: From root, add directive uwsgi_max_temp_file_size 0; to the file /etc/nginx/conf.d/sandbox-ram-frontend.conf on sandbox, as follows: /etc/nginx/conf.d/sandbox-ram-frontend.conf location ~ ^/api/(.*) { rewrite ^/api/(.*)$ $1 break; uwsgi_pass ram_backend; uwsgi_read_timeout 900; client_max_body_size 2048m; include uwsgi_params; uwsgi_max_temp_file_size 0; <---add this line } Apply the changes by reloading nginx configuration: nginx -s reload RCA uwsgi built-in temp file size limit of 1Gb is applied unless other limit is specified directly.

Here we try to describe the proper scenario of device deletion. First of all, you need to put device into Marked for deletion list. After it, if device still syncing with KES Cloud, applications will be uninstalled automatically and device will be deleted. Here is the article with detailed information. You can be confused by the option "Permanently delete" options. Please note that this option should be used to delete entry from this list. It can be useful when machine is not syncing anymore with KES Cloud and there is only entry in the list. To delete this entry you can use option "Permanently Delete". If machine is still working and syncing with network agent, you should not use this option, because after entry deletion it will appear again in console, after the first successful sync. You should wait for the automatic deletion of applications or delete it manually. To delete device properly, you need to wait till the uninstallation process will be performed or force it by the option "Run uninstallation now" in device properties. You should not do it for all devices, when you start this feature for one it will be started for others too.

Issue "Databases and modules update task" is configured for hosts with LENA 3.12 installed. Task is executed via KSC. Diagnostics "Activate KEA" task is configured for the hosts with LENA or has been configured and deleted in the past. An update is executed locally, using lenactl works. KLNagent successfully synchronizes with the server. Other installed applications (e.g. KESL) display no synchronization issues. Workaround To fix the issue: Remove the "Activate KEA" task or any other configured KEA tasks except for "Databases and modules update task" for hosts with LENA installed. If necessary, move hosts with LENA to a separate group or configure other desired KEA tasks using a selection for Windows hosts only. Ensure there are no tasks except for "Databases and modules update task" remaining for hosts with LENA installed in KSC. Option A. Reinstall LENA on hosts to get rid of cached activation tasks. Option B. Remove the problematic cached tasks locally: Stop LENA: # systemctl stop epagent Remove the cached tasks: # rm -rf /var/opt/kaspersky/epagent/tasks/* Start LENA # systemctl start epagent Force synchronization with the host, e.g. by calling klnagchk. # /opt/kaspersky/klnagent64/bin/klnagchk Ensure one task is recieved. # ll /var/opt/kaspersky/epagent/tasks/ Execute "Databases and modules update task" on KSC. Ensure it finishes successfully. Double check locally that the bases are updated. RCA LENA connector that receives the product tasks from KLNagent is only configured to accept valid tasks ant halt synchronization if an invalid task is received. Only "Databases and modules update task" is considered to be valid for certified LENA version. "Activate KEA" task is received or cached first. Connector halts synchronization once it is processed. An update task is never received by the product.

NOTE: KSC CC is a cloud solution and its IP can be changed. Run klnagchk utility on connected to target workspace host. Find KSC CC server address in klnagchk output. It should looks like eXXX.ksc.kaspersky.com. Use nslookup utility to find the IP address of this server.

Description and cautions That article is describing a specific scenario: HA Cluster KSC with 4 CGWs between two different and geographical isolation DC (Data Center). High level procedure: KLAdmins group: ksc, rightless / gmsa-ksc-server, gmsa-ksc-nwc; $KSC-NODE-1, $KSC-NODE-2, $SQL-SRV / sql / gmsa-sql-server SMB shares: data, state, sc_backup, kl-share | SMB Permissions NTFS ACL - - Full Control for KLAdmins Created MS SQL Database - KLFOC | Grand Access for admin server account Reboot servers Map network drivers - data, state Install KLFOC Details Here below is the detailed step-by-step procedure: General terms HA - High availability DC - Data Center CGW - Connection Gateway gMSA - Group Managed Service Accounts WSFC - Windows Server Failover Cluster Prerequisites Hardware and software requirements To deploy a Kaspersky failover cluster, you must have the following hardware: x2 Windows Server with identical hardware and software. These servers will act as the active and passive nodes. OS Windows Server 2019 Activated & configured OS Windows Server 2019 on 2x servers. Latest Windows updates & drivers installed. Windows Firewall Disabled Windows firewall on 2x KSC server nodes DNS A & PTR records for Nodes 2x IP address for the KSC nodes Internet connectivity For 2x KSC server nodes 1. For downloading signatures and application updates on KSC cluster. 2. For downloading third party updates of vulnerability and patch management (if applicable). Microsoft OLE DB Driver for SQL Server | Link Introduce multi-subnet failover capabilities in this first upcoming release, and keeps up with latest TLS 1.2 standards Connection with TLS 1.2 1. Make sure that remote SQL Server (or SQL Express) used by the Administration Server is a really 64-bit application (sqlservr.exe is a 64-bit process) 2. At the computer with Administration Server installed do the following: Install MSOLEDBSQL provider and reboot the computer if required Set KLDBADO_UseMSOLEDBSQL=1 i. either by defining global environment variable KLDBADO_UseMSOLEDBSQL=1 ii. ii. or by setting Administration Server flag KLDBADO_UseMSOLEDBSQL=1 using klscflag.exe. klscflag.exe -fset -pv klserver -n KLDBADO_UseMSOLEDBSQL -v 1 -t d Reboot the computer if required 3. Make sure that Administration Console successfully connects Administration Server and Kaspersky Event Log at the Administration Server computer does not contain errors like 'Generic db error: "11526 '{42000} The metadata could not be determined' File server that supports the CIFS/SMB protocol, version 2.0 or higher. A server that is participating in a WSFC. Make sure you have provided high network bandwidth between the file server, and the active and passive nodes. DBMS | MS SQL cluster on WSFC with Always On availability groups. MS SQL cluster SQL Server Failover Cluster Installation Listener DNS Name Specifies the DNS host name of the availability group listener. The DNS name is a string must be unique in the domain and in NetBIOS Microsoft OLE DB Driver for SQL Server | Link Introduce multi-subnet failover capabilities in this first upcoming release, and keeps up with latest TLS 1.2 standards Pre-created Database on MS SQL cluster (DB name should be one word without special characters) Grand permission "DB Owner" for account under which the services of Kaspersky Security Center will run. Switch conditions The failover cluster switches protection management of the client devices from the active node to the passive node with CGs in LAN or DMZ network if any of the following events occurs on the active node: The active node\LAN-CGW\DMZ-CGW is broken due to a software or hardware failure. The active node was temporarily stopped for maintenance activities. At least one of the Kaspersky Security Center services (or processes) failed or was deliberately terminated by user. The Kaspersky Security Center services are the following ones: kladminserver, klnagent, klactprx, and klwebsrv. The network connection between the active node and the storage on the file server was interrupted or terminated. Deployment of a Kaspersky failover cluster Creating an account for Kaspersky Security Center services Create a new domain group, name it 'KLAdmins', and then grant the local administrator's permissions to the group on both nodes and on the file server. Then create two new domain user accounts, name them 'ksc' and 'rightless', and add the accounts to the KLAdmins domain group. Add the user account, under which Kaspersky Security Center will be installed, to the KLAdmins domain group. Domain accounts Account for installer running - Local admin Creating accounts for the Administration Server services Accounts for work with the DBMS gMSA service account 1. gMSA service account will be used to run tKaspersky Security Center 13 Administration Server services. How to create gMSA account https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts 2. gMSA service account must have Dbo role permission on the pre-created Kaspersky database running MS SQL cluster. Dbo schema must be used by default. For more details on required permissions to be assigned https://support.kaspersky.com/KSC/12/en-US/156275.htm 3. Assign domain admin permission for KSC installation process only. KLAdmins - Global security group: Administration Server account - Domain\gMSA Account for other services from the Administration Server pool - Rightness Computers accounts $ksc-node1 and $ksc-node2 SQL account - Domain\gMSA or computer account $SQL-server File server preparation Prepare the file server to work as a component of the Kaspersky failover cluster. Make sure that the file server meets the hardware and software requirements, create two shared folders for Kaspersky Security Center data, and configure permissions to access the shared folders. Step Description 1 Make sure that the file server meets the hardware and software requirements. 2 Make sure that the file server and both nodes (active and passive) are included in the same domain or the file server is the domain controller. 3 On the file server, create Shared folders: data, state, klshare and SC_Backup on fileserver. One of them is used to keep information about the failover cluster state. The other one is used to store the data and settings of Kaspersky Security Center. 4 Grant full access permissions (both share permissions and NTFS permissions) to the created shared folders for the following user accounts and groups: Computers accounts $ksc-node1 and $ksc-node2 SQL account - Domain\gMSA or computer account $SQL-server Preparation of active and passive nodes Prepare two computers with identical hardware and software to work as the active and passive nodes. To prepare nodes for a Kaspersky failover cluster: Make sure that you have two computers that meet the hardware and software requirements. These computers will act as the active and passive nodes of the failover cluster. Make sure that the file server and both nodes are included in the same domain. Do one of the following: Skip this step and configurarion CGWs after installation KLFOC On each of the nodes, create a virtual network adapter The virtual network adapters must be disabled. You can create the virtual network adapters in the disabled state or disable them after creation. The virtual network adapters on both nodes must have the same IP address. Use a third-party load balancer. For example, you can use an nginx server. In this case, do the following: Provide a dedicated Linux-based computer with nginx installed. Configure load balancing. Set the active node as the main server and the passive node as the backup server. On the nginx server, open all of the Administration Server ports: TCP 13000, UDP 13000, TCP 13291, TCP 13299, and TCP 17000. Restart both nodes and the file server. Map the two shared folders, that you created during the file server preparation step, to each of the nodes. You must map the shared folders as network drives. When mapping the folders, you can select any vacant drive letters. To access the shared folders, use the credentials of the user account that you created before. The nodes are prepared. Database Management System (DBMS) installation Select any of the supported DBMS, and then install the DBMS on a dedicated computer. For best practice, will use HA configuration of DBMS\SQL. MS SQL cluster on WSFC with Always On availability groups. MS SQL cluster SQL Server Failover Cluster Installation Listener DNS Name Specifies the DNS host name of the availability group listener. The DNS name is a string must be unique in the domain and in NetBIOS Microsoft OLE DB Driver for SQL Server | Link Introduce multi-subnet failover capabilities in this first upcoming release, and keeps up with latest TLS 1.2 standards DB - KLFOC Create Database with specified name and grand permission "DB Owner" for account under which the services of Kaspersky Security Center will run. DB - KLFOC - Create Database with specified name and grand permission "DB Owner" for account under which the services of Kaspersky Security Center will run. Pre-created Database on MS SQL cluster (DB name should be one word without special characters) Kaspersky Security Center installation Install Kaspersky Security Center in the failover cluster mode on both nodes. You must first install Kaspersky Security Center on the active node, and then install it on the passive one. How-to instructions: Installing Kaspersky Security Center on the Kaspersky failover cluster nodes Specifying the Administration Server certificate If necessary, you can assign a special certificate for Administration Server by using the command-line utility klsetsrvcert. To replace the certificate you must create a new one (for example, by means of the organization's PKI) in PKCS#12 format and pass it to the klsetsrvcert utility klsetsrvcert.exe --stp klfoc -t C -i "C:\KLFOC\new-cert.pfx -p "<password>" -l "new-cert-change.log" -o "NoCA" When the certificate is replaced, all Network Agents that were previously connected to Administration Server through SSL lose their connection and return "Administration Server authentication error". To specify the new certificate and restore the connection, you can use the klmover utility. Settings LAN\DMZ Gateways Assigning Workstations (LAN-GW) to act as a distribution point Enable feature "Connection Gateway" Adding a connection gateways in the DMZ as a distribution point Install external gateways with the setting that this is a connection gateway in the DMZ On the KSC, add a distribution point as a connection gateway in the DMZ KSC initiates a connection to gateway and the gateway will appear as a distribution point Open the properties and set the checkbox in the Connection gateway section Create group for GW and add workstations with installed DPs and GWs Configuration for Network Agent Policy Create 2 groups for workstations DC-1 and DC-2 and group for GW For both groups create policies: Network Agent DC-1 Network Agent DC-2 Add Connection profiles and Network Locations for users DC-1 and DC-2 Testing the failover cluster Check that you configured the failover cluster correctly and that it works properly. For example, you can stop one of the Kaspersky Security Center services on the active node: kladminserver, klnagent, ksnproxy, klactprx, or klwebsrv. After the service is stopped, the protection management must be automatically switched to the passive node. Troubleshooting DB Error Check permissions for gMSA account KLBACKUP Run klbackup utulity with --stp klfoc klbackup --stp klfoc Data backup and recovery in non-interactive mode

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. How to monitor KATA system health such as CPU, HDD, Memory usage, services status and etc? How to output this information？ Locally, monitoring product operation and component health can be done in KATA dashboard. CPU, memory or similar metrics can be viewed using built-in Linux tools in support mode. Available remote monitoring options are: Using SNMP Hearbeats in SIEM integration Email notifications about alerts and system health. For Sandbox component - only SSL probing option is available echo "Q" | openssl s_client -connect sandbox:443

Problem Host connected to KES Cloud Disk encryption disabled in profile Encryption error in host properties Workaround Try to create a new security profile (Create a new one, do not copy one of the current profiles) - do not modify the encryption settings in it (leave it in the disabled status), and assign affected device to it. This steps should help to fix the problem. Update: In case you encounter this with server OS, it will be fixed in KES Cloud release 24.9. Another possible cause on Windows Server OS Try to add BitLocker windows feature to all affected devices via Server Manager > Manage > Add Roles and Features. On Features section choose BitLocker Drive Encryption. Wait for several minutes. Status will become 'OK'.

Configuring KEA update task is of crucial importance. Updated KATA telemetry filters, exclusions and performance optimizations are delivered via bases. However, KEA has no transparent means to check bases version locally. The solution to this demand is to check bases version locally via CLI. KEA for Windows bases date From Elevated Command Prompt, execute: type "C:\ProgramData\Kaspersky Lab\Endpoint Agent\4.0\Bases\Current\aptem.stt" The example output is as follows, ;202209190911 Format is ;YYYYMMDDHHMM KEA for Linux (LENA) bases date Fresh installation For a fresh LENA installation that has never been updated, the bases "aptem.stt" file might be missing. From root or using sudo: sudo cat /var/opt/kaspersky/epagent/update/bases/aptem.stt Output format is the same, ;YYYYMMDDHHMM. Using built-in tools, we can easily make it in a proper way: sudo cat /var/opt/kaspersky/epagent/update/bases/aptem.stt | sed -E 's/\;([0-9]{8})([0-9]{2})([0-9]{2})/\1 \2:\3/g' | xargs -0 date -d Bonus: LENA's Last update date Lena's Last update date is stored in epoch format in /opt/kaspersky/epagent/update/last_update. Using built-in tools, we can make it human-readable: sudo cat /var/opt/kaspersky/epagent/update/last_update | xargs -0 -I% date -d \@% It is also worth mentioning that "Last update date" is relevant but it is still entirely different value than bases date. In case the bases in repository are outdated, Last Update date may be 5 minutes ago, yet bases will remain old.

Intro This instruction describes how to create an installation package (.pkg) for the MacOS operating system from the standalone installation package of Kaspersky Endpoint Security for Mac. You may need to create such a package to automate the installation of Kaspersky Endpoint Security software via third-party systems (e.g. AirWatch). Details Files Munki tool (with predefined files) Prerequisites Kaspersky Security Center MacOS machine Python must be installed Usage Create a standalone installation package for Kaspersky Endpoint Security for Mac (https://support.kaspersky.com/KSC/14/en-US/182663.htm) On a MacOS machine: Unzip the file munki-munki-pkg-e018bf1.zip to Desktop. Open Terminal and navigate to the directory munki-munki-pkg-e018bf1 cd /Users/John/Desktop/munki-munki-pkg-e018bf1 Copy the built standalone installation package (kesmac11.2.1.145.sh) to the postinstall file in the kesmac/scripts/ directory: cp kesmac11.2.1.145.sh kesmac/scripts/postinstall Modify the code of the standalone installation package with the vim editor vi kesmac/scripts/postinstall Replace the section in the file to the modified section (note that the line "#!/bin/sh" must be the first line in the file, there must be no empty lines before it): nagent/scripts/postinstall (new) #!/bin/sh logfile="/tmp/kesmac11.2.1.1450.log" wstrUnpackTempPath="${TMPDIR:-/tmp}"/"$(date '+%d.%m_%H.%M.%S.%N')" if [ -f "$logfile" ]; then rm -f "$logfile" fi ExitWithError() { echo "Clean temporary directory '$wstrUnpackTempPath'" >> $logfile rm -rf "$wstrUnpackTempPath" echo "$2" >> $logfile exit $1 } rm -rf "$wstrUnpackTempPath" mkdir "$wstrUnpackTempPath" || ExitWithError 1 "Failed to create temporary directory '$wstrUnpackTempPath': error = $?" echo "Unpack archive to '$wstrUnpackTempPath'..." >> $logfile archive_marker_line=$(grep -an '^CCFAFCA1-F619-4618-B8C1-107EF7694A0C-ARCHIVE:$' "$0" | cut -d : -f 1 | tail -1) tail -n +$((archive_marker_line + 1)) "$0" | tar -xzf - -C "$wstrUnpackTempPath" > /dev/null || ExitWithError 1 "Failed to unpack archive: error = $?" echo "Found installer..." >> $logfile wstrExecName=$(grep -o -r "--include=*.kud" "--include=*.kpd" '^Executable=.*\.sh' $wstrUnpackTempPath | sed 's/.*=//' | sed 's/.*[\\/]//') [ ! -z "$wstrExecName" ] || ExitWithError 1 "Installer not found" echo "Found parameters..." >> $logfile wstrParams=$(grep -o -r "--include=*.kud" "--include=*.kpd" '^Params=.*' $wstrUnpackTempPath | sed 's/.*=//' | sed 's/\r//') echo "Run package installer '$wstrExecName $wstrParams' ..." >> $logfile sh "$wstrUnpackTempPath/$wstrExecName" $wstrParams >> $logfile || ExitWithError $? "Installation failed: error = $?" echo "Product successfully installed!" >> $logfile ExitWithError 0 "" Add the execution bit: chmod +x kesmac/scripts/postinstall You can also change the metadata (if needed) in the nagent/build-info.plist file Change meta <key>version</key> <string>11.2.1.145</string> // version of package <key>name</key> <string>Kaspersky Endpoint Security.pkg</string> // name of package <key>identifier</key> <string>com.kaspersky.kesmac</string> // identifier of package Perform the assembly: ./munkipkg kesmac The built package will be available in the kesmac/build directory with the name <name of package from build-info.plist>.pkg Important Before installing, a configuration profile must be installed: https://support.kaspersky.com/kes11mac/settings/15647 The configuration profile contains settings that are only allowed through User Approved Mobile Device Management (UAMDM), so when you apply the configuration profile locally on the device, the error "Profile installation failure. System profile required. User profiles are not supported". To avoid the error, use the remote administration utility. When installing a .pkg built this way, MacOS may give an error that the package has been signed by an unauthorized developer. It is necessary to allow it to run in OS. The installation log will be saved to the file /tmp/kesmac11.2.1.1450.log

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem Description Error "Error 1181/0x91 ('System error 0x91 (The directory is not empty.)') occured while deleting directory 'C:\ProgramData\KasperskyLab\adminkit\1103''" when installing Network Agent. The error can be found on a screenshot. How To Fix Make sure that the folder ‘C:\ProgramData\KasperskyLab\adminkit\1103’ actually exists. If you can navigate to this folder in Explorer (with "Hidden items" enabled), try to delete or rename this folder and repeat installation. If you can't find this directory, then please try to navigate to ‘C:\ProgramData\Kaspersky Lab\adminkit’ folder in the terminal (cmd) from NT AUTHORITY\SYSTEM account. Then check its contents with the "dir" command. If the folder appears on the list, then try deleting it or renaming it. Here you probably will need an option with CMD: rmdir /S /Q "C:\ProgramData\KasperskyLab\adminkit\1103" " (in order to remove) or ren "C:\ProgramData\KasperskyLab\adminkit\1103" “1103_old” (in order to rename). Do not forget to perform all actions from an account that has local administrator rights on this computer with elevated privileges (from the Administrator), if UAC is used.

Problem KSC and KS4Android are implemented but KSC is offline and could not access Internet. KUU can be used for updating KS for Android and distribute the update databases. But after running KUU (Kaspersky Update Utility), you cannot find actual KES for Android versions. Solution AV bases for new KESM versions will appear in KUU UI after running KUU with empty application list. The KUU settings should look like the following (in order to update the list of supported applications, you need first to press 'Start' with a blank application list as follows):

When creating an IoC scan task, only the following registry branches are scanned. <field name="predefined_keypaths" type="wstring" multi-valued="yes" default-value= '{ LR"(HKEY_CLASSES_ROOT\htafile)", LR"(HKEY_CLASSES_ROOT\batfile)", LR"(HKEY_CLASSES_ROOT\exefile)", LR"(HKEY_CLASSES_ROOT\comfile)", LR"(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa)", LR"(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors)", LR"(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider)", LR"(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class)", LR"(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders)", LR"(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server)", LR"(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager)", LR"(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services)", LR"(HKEY_LOCAL_MACHINE\Software\Classes\piffile)", LR"(HKEY_LOCAL_MACHINE\Software\Classes\htafile)", LR"(HKEY_LOCAL_MACHINE\Software\Classes\exefile)", LR"(HKEY_LOCAL_MACHINE\Software\Classes\comfile)", LR"(HKEY_LOCAL_MACHINE\Software\Classes\CLSID)", LR"(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run)", LR"(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad)", LR"(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer)", LR"(HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run)", LR"((HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components)", LR"(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows)", LR"(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options)", LR"(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Aedebug)", LR"(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon)" }' tag-id="2" tag-name="PredefinedKeyPaths"/> IoC tasks that are configured to scan other branches of the registry will not return any results.

Sometimes you may need to add a particular site\domain to an exclusions list of Traffic Security. Unfortunately, at current moment KSWS console allows us to make exclusions ONLY for Ports, IP-addresses, and Processes: But we have ability to make site and domain exclusions for Traffic Security via registry workaround. To implement workaround, we need to create and fill following REG_MULTI_SZ key: [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\WSEE\11.0\Environment\ICAP\IgnoreDomains] To make changes in this hive, you can add necessary permissions to your account OR you can run regedit in SYSTEM context (psexec -s -i regedit.exe). Important Besides required domain names, we recommend to add the following default list of names to avoid breaking of Windows Updates and KSWS activation functionality: *.data.microsoft.com *.update.microsoft.com *.kaspersky.com *.rds.amazonaws.com *.s3.amazonaws.com *.blob.core.windows.net *.database.windows.net

Prerequisetes: Supported vSphere by Kaspersky Agentless solution Usage of NSX version 3.2+ Deployed Kaspersky Agentless 6.1 Antivirus or/and Network Attack Blocker Appliance Problem Anew registration and Kaspersky Agentless 6.1 Antivirus or/and Network Attack Blocker Appliance deployment completes successfully. By attempt to create Service Profile for Kaspersky Agentless 6.1 Antivirus or/and Network Attack Blocker fails with error AntiVirus and Network Attack service registration might fail with the error "Service Definition id <ID> <Kaspersky Component> not found in MP Root cause NSX-T does not delete service references of Kaspersky Agentless 6.1 Antivirus or/and Network Attack Blocker Appliance Solution Through terminal like putty you need access to NSX-T appliacnce and launch the command curl -kG https://admin:<PASSWORD>@<nsx-t address>/policy/api/v1/infra/service-references The path value should be remembered for Kaspersky File Antimalware Protection and for Kaspersky Network Protection Delete service reference by path value by launching the command curl -kX DELETE https://admin:<PASSWORD>@<nsx-t address>/policy/api/v1/<value of path> After it delete previously created profile service for Kaspersky Agentless 6.1 Antivirus or/and Network Attack Blocker and create it anew

а какого именно прояснения вы хотите? Почему о несовместимости стали писать именно сейчас? Можете задать этот вопрос в ТП. Ответ ТП на вопрос почему именно Adguard в списке несовместимых вам выше привели. Причем, как следует из базы знаний Adguard, они и не отрицают существования проблем.

Problem Description Unexpectedly it can be observed that KSV AL 6.1 starts to be unavailable in Kaspersky Security Center as shown on the screenshot. Root cause The most probable cause of this issue is expired Kaspersky Security Certificate and new generated one is not transferred to KSV AL 6.1. KSV AL 6.1 does not have functionality to automatically update certificate from Kaspersky Security Center. Workaround The script klmover should be launched on KSV AL 6.1 to reconnect to the Kaspersky Security Center. This script performs some steps, including a certificate update. The script resides in /opt/kaspersky/klnagent64/bin.

There is an example of a step-by-step instruction to configure Single-Sign-On (SSO) for KATA 4.1/5+/6+ into HOME.LAB domain. Prerequisites Deployed Central Node Server Name should be FQDN. (In current case FQDN name of Central Node - kata-cn.home.lab) It can be checked via Settings/Network Settings of Central Node. A and PTR record should be set for Central Node in DNS. Domain User Account should be created to set up Kerberos authentication by means of keytab file (in current case Domain User Account is kata-sign-on). AES256-SHA1 encryption algorithm should be enabled into created Domain User Account. Step-by-step guide to create keytab file On Domain Controller: Launch CMD As Administrator Execute the following command to create keytab file C:\Windows\system32\ktpass.exe -princ HTTP/kata-cn.home.lab@HOME.LAB -mapuser kata-sing-on@HOME.LAB -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * +dumpsalt -out C:\TEMP\kata-sgn-on.keytab The utility requests the kata-sign-on user password when executing the command. The SPN of the selected server is added to the created keytab file. The generated salt is displayed on the screen: Hashing password with salt "<hash value>" For multiple Central Node servers you need to save "<hash value>" of hashing password to add an SPN for each subsequent Central Node servers further using ktpass.exe utility. On Central Node Web Interface Move to Settings/Users/Active Directory Integration Add the created keytab file: Keytab file status section contains File which contains SPN for this server The file contains section HTTP/*****@*****.tld Under Users tab click Add and select Domain user account. Set domain user as <username>@<domain> On client machine Host should be joined to the same domain. Domain user should be logged in with account added into the Central Node. Open Control Panel/Internet Options Click on Security and select Local Intranet Click on Sites and then on Advanced Add FQDN of central node - kata-cn.home.lab Close windows: Launch Web Browser and access to Web Interface of the Central Node https://kata-cn.home.lab:8443 and it should be opened without asking any Login/Password.

You may want to have full certificate chain for KATA Web UI. Here's how to do it. Step-by-step guide Preparing the certificate chain for use in nginx_gateway configuration We start with full certificate chain in familiar form. Please note that certificate chain should contain desired intermediate authorities' public keys. Do not add private key to the chain. First of all, we transfer it to the Central Node. It's recommended to do all further actions on Central Node, as in different *nix environments further steps may give different result. To use it for product configuration, we should convert it to format, used by etcd. Note that certificate is in one line, and that line breaks (CRLF) are replaced by \n symbols. So that's what we should do with our certifciate: add \n to the end of each line: sed 's/$/\\n/' < cert.json > cert_n.json Remove line breaks: tr -d '\n' < cert_n.json > cert_oneline.json Now, certificate chain is ready to be used in nginx_gateway configuration. Importing the prepared certificate chain to nginx_gateway The most convenient way is to first export nginx_gateway configuration to JSON format: apt-settings-manager get /configuration/nginx_gateway | python -m json.tool > /tmp/nginx_gateway Now, find the place where certificate is located and replace it with created certificate chain. Import the configuration back: apt-settings-manager set /configuration/nginx_gateway @/tmp/nginx_gateway And that's it, now browsers will receive full certificate chain for KATA Web UI.

In EDR Security officer can create a hash-based prevention rule for workstation. Here's the list of activities to which prevention rules apply: Agent should control and prevent read access of the following file formats by the following apps: App: winword.exe wordpad.exe excel.exe powerpnt.exe acrord32.exe Microsoft Edge Google Chrome File formats: .rtf .doc .dot .docm .docx .dotx .dotm .docb .docx .rtf .xls .xlt .xlm .xlsx .xlsm .xltx .xltm .xlsb .xla .xlam .xll .xlw .ppt .pot .pps .pptx .pptm .potx .potm .ppam .ppsx .ppsm .sldx .sldm .pdf Agent should prevent script started by following interpreters: cmd.exe reg.exe regedit.exe regedt32.exe cscript.exe wscript.exe mmc.exe msiexec.exe mshta.exe rundll32.exe runlegacycplelevated.exe control.exe explorer.exe regsvr32.exe wwahost.exe powershell.exe perl.exe ( * ) hh.exe ( * ) msbuild.exe ( * ) python.exe ( * ) InstallUtil.exe RegSvcs.exe RegAsm.exe ruby.exe rubyw.exe autoit.exe AutoHotkey.exe AutoHotkeyU32.exe AutoHotkeyA32.exe AutoHotkeyU64.exe AutoHotkeyA64.exe

Ну тогда ожидайте ясности.)

Installation of affected products fails if it can't disable Windows Defender. To do this, during the installation the installer tries to edit edit local policy settings via Windows APIs, which load cached machine local policy from %windir%\System32\GroupPolicy folder, make changes and save back to the file system. If mentioned operations with local policy fail, installation fails with MSI error 1603, MSI log contains following errors: DisableWindowsDefender: Error: (_com_error): OpenLocalMachineGPO(GPO_OPEN_LOAD_REGISTRY) failed code=<some error code> OR DisableWindowsDefender: Error: (_com_error): pGroupPolicy->Save failed code=<some error code> KESS 3.1+ and KICS 3.0+ have a setup parameter SKIP_DISABLE_DEFENDER=1, which forces installation to skip the disabling Windows Defender operation: msiexec /i <product msi file> SKIP_DISABLE_DEFENDER=1 /L*V C:\installation.log With SKIP_DISABLE_DEFENDER=1 installation will not touch local group policy files, therefore you have to disable Windows Defender yourself.

Problem kesl-control --app-info outputs the following error: en File Threat Protection: Unavailable due to file interceptor driver error One of the most common root causes is Fanotify is disabled (or KESL could not access it) and kernel module compilation also failed. A special utility can be used for this directly on the affected machine with KESL installed: sudo /opt/kaspersky/kesl/bin/fanotify-checker && echo fanotify: supported || echo fanotify: unsupported In case, an operating system does not support Fanotify technology, it is required to install some additional packages and build a kernel module for KESL. A part of required packages may be found on the Hardware and software requirements section of the product documentation, for example for KESL 11.3; In addition to this, new packages kernel-headers-XXX and kernel-devel-XXX must be installed, where XXX - an operating system kernel version. Use the following scenario to install those packages and build a kernel module for KESL: for RHEL based OS: yum install kernel-headers-`uname -r` kernel-devel-`uname -r` for Debian based OS: apt install linux-headers-`uname -r` Reboot the system; Run the post-install script: /opt/kaspersky/kesl/bin/kesl-setup.pl --build | tee /tmp/buildLog And reboot the service: systemctl restart kesl-supervisor.service In case of any further issues, please contact Kaspersky Support.