All Activity

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. How to monitor KATA system health such as CPU, HDD, Memory usage, services status and etc? How to output this information？ Locally, monitoring product operation and component health can be done in KATA dashboard. CPU, memory or similar metrics can be viewed using built-in Linux tools in support mode. Available remote monitoring options are: Using SNMP Hearbeats in SIEM integration Email notifications about alerts and system health. For Sandbox component - only SSL probing option is available echo "Q" | openssl s_client -connect sandbox:443

Problem Host connected to KES Cloud Disk encryption disabled in profile Encryption error in host properties Workaround Try to create a new security profile (Create a new one, do not copy one of the current profiles) - do not modify the encryption settings in it (leave it in the disabled status), and assign affected device to it. This steps should help to fix the problem. Update: In case you encounter this with server OS, it will be fixed in KES Cloud release 24.9. Another possible cause on Windows Server OS Try to add BitLocker windows feature to all affected devices via Server Manager > Manage > Add Roles and Features. On Features section choose BitLocker Drive Encryption. Wait for several minutes. Status will become 'OK'.

Configuring KEA update task is of crucial importance. Updated KATA telemetry filters, exclusions and performance optimizations are delivered via bases. However, KEA has no transparent means to check bases version locally. The solution to this demand is to check bases version locally via CLI. KEA for Windows bases date From Elevated Command Prompt, execute: type "C:\ProgramData\Kaspersky Lab\Endpoint Agent\4.0\Bases\Current\aptem.stt" The example output is as follows, ;202209190911 Format is ;YYYYMMDDHHMM KEA for Linux (LENA) bases date Fresh installation For a fresh LENA installation that has never been updated, the bases "aptem.stt" file might be missing. From root or using sudo: sudo cat /var/opt/kaspersky/epagent/update/bases/aptem.stt Output format is the same, ;YYYYMMDDHHMM. Using built-in tools, we can easily make it in a proper way: sudo cat /var/opt/kaspersky/epagent/update/bases/aptem.stt | sed -E 's/\;([0-9]{8})([0-9]{2})([0-9]{2})/\1 \2:\3/g' | xargs -0 date -d Bonus: LENA's Last update date Lena's Last update date is stored in epoch format in /opt/kaspersky/epagent/update/last_update. Using built-in tools, we can make it human-readable: sudo cat /var/opt/kaspersky/epagent/update/last_update | xargs -0 -I% date -d \@% It is also worth mentioning that "Last update date" is relevant but it is still entirely different value than bases date. In case the bases in repository are outdated, Last Update date may be 5 minutes ago, yet bases will remain old.

Intro This instruction describes how to create an installation package (.pkg) for the MacOS operating system from the standalone installation package of Kaspersky Endpoint Security for Mac. You may need to create such a package to automate the installation of Kaspersky Endpoint Security software via third-party systems (e.g. AirWatch). Details Files Munki tool (with predefined files) Prerequisites Kaspersky Security Center MacOS machine Python must be installed Usage Create a standalone installation package for Kaspersky Endpoint Security for Mac (https://support.kaspersky.com/KSC/14/en-US/182663.htm) On a MacOS machine: Unzip the file munki-munki-pkg-e018bf1.zip to Desktop. Open Terminal and navigate to the directory munki-munki-pkg-e018bf1 cd /Users/John/Desktop/munki-munki-pkg-e018bf1 Copy the built standalone installation package (kesmac11.2.1.145.sh) to the postinstall file in the kesmac/scripts/ directory: cp kesmac11.2.1.145.sh kesmac/scripts/postinstall Modify the code of the standalone installation package with the vim editor vi kesmac/scripts/postinstall Replace the section in the file to the modified section (note that the line "#!/bin/sh" must be the first line in the file, there must be no empty lines before it): nagent/scripts/postinstall (new) #!/bin/sh logfile="/tmp/kesmac11.2.1.1450.log" wstrUnpackTempPath="${TMPDIR:-/tmp}"/"$(date '+%d.%m_%H.%M.%S.%N')" if [ -f "$logfile" ]; then rm -f "$logfile" fi ExitWithError() { echo "Clean temporary directory '$wstrUnpackTempPath'" >> $logfile rm -rf "$wstrUnpackTempPath" echo "$2" >> $logfile exit $1 } rm -rf "$wstrUnpackTempPath" mkdir "$wstrUnpackTempPath" || ExitWithError 1 "Failed to create temporary directory '$wstrUnpackTempPath': error = $?" echo "Unpack archive to '$wstrUnpackTempPath'..." >> $logfile archive_marker_line=$(grep -an '^CCFAFCA1-F619-4618-B8C1-107EF7694A0C-ARCHIVE:$' "$0" | cut -d : -f 1 | tail -1) tail -n +$((archive_marker_line + 1)) "$0" | tar -xzf - -C "$wstrUnpackTempPath" > /dev/null || ExitWithError 1 "Failed to unpack archive: error = $?" echo "Found installer..." >> $logfile wstrExecName=$(grep -o -r "--include=*.kud" "--include=*.kpd" '^Executable=.*\.sh' $wstrUnpackTempPath | sed 's/.*=//' | sed 's/.*[\\/]//') [ ! -z "$wstrExecName" ] || ExitWithError 1 "Installer not found" echo "Found parameters..." >> $logfile wstrParams=$(grep -o -r "--include=*.kud" "--include=*.kpd" '^Params=.*' $wstrUnpackTempPath | sed 's/.*=//' | sed 's/\r//') echo "Run package installer '$wstrExecName $wstrParams' ..." >> $logfile sh "$wstrUnpackTempPath/$wstrExecName" $wstrParams >> $logfile || ExitWithError $? "Installation failed: error = $?" echo "Product successfully installed!" >> $logfile ExitWithError 0 "" Add the execution bit: chmod +x kesmac/scripts/postinstall You can also change the metadata (if needed) in the nagent/build-info.plist file Change meta <key>version</key> <string>11.2.1.145</string> // version of package <key>name</key> <string>Kaspersky Endpoint Security.pkg</string> // name of package <key>identifier</key> <string>com.kaspersky.kesmac</string> // identifier of package Perform the assembly: ./munkipkg kesmac The built package will be available in the kesmac/build directory with the name <name of package from build-info.plist>.pkg Important Before installing, a configuration profile must be installed: https://support.kaspersky.com/kes11mac/settings/15647 The configuration profile contains settings that are only allowed through User Approved Mobile Device Management (UAMDM), so when you apply the configuration profile locally on the device, the error "Profile installation failure. System profile required. User profiles are not supported". To avoid the error, use the remote administration utility. When installing a .pkg built this way, MacOS may give an error that the package has been signed by an unauthorized developer. It is necessary to allow it to run in OS. The installation log will be saved to the file /tmp/kesmac11.2.1.1450.log

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem Description Error "Error 1181/0x91 ('System error 0x91 (The directory is not empty.)') occured while deleting directory 'C:\ProgramData\KasperskyLab\adminkit\1103''" when installing Network Agent. The error can be found on a screenshot. How To Fix Make sure that the folder ‘C:\ProgramData\KasperskyLab\adminkit\1103’ actually exists. If you can navigate to this folder in Explorer (with "Hidden items" enabled), try to delete or rename this folder and repeat installation. If you can't find this directory, then please try to navigate to ‘C:\ProgramData\Kaspersky Lab\adminkit’ folder in the terminal (cmd) from NT AUTHORITY\SYSTEM account. Then check its contents with the "dir" command. If the folder appears on the list, then try deleting it or renaming it. Here you probably will need an option with CMD: rmdir /S /Q "C:\ProgramData\KasperskyLab\adminkit\1103" " (in order to remove) or ren "C:\ProgramData\KasperskyLab\adminkit\1103" “1103_old” (in order to rename). Do not forget to perform all actions from an account that has local administrator rights on this computer with elevated privileges (from the Administrator), if UAC is used.

Problem KSC and KS4Android are implemented but KSC is offline and could not access Internet. KUU can be used for updating KS for Android and distribute the update databases. But after running KUU (Kaspersky Update Utility), you cannot find actual KES for Android versions. Solution AV bases for new KESM versions will appear in KUU UI after running KUU with empty application list. The KUU settings should look like the following (in order to update the list of supported applications, you need first to press 'Start' with a blank application list as follows):

When creating an IoC scan task, only the following registry branches are scanned. <field name="predefined_keypaths" type="wstring" multi-valued="yes" default-value= '{ LR"(HKEY_CLASSES_ROOT\htafile)", LR"(HKEY_CLASSES_ROOT\batfile)", LR"(HKEY_CLASSES_ROOT\exefile)", LR"(HKEY_CLASSES_ROOT\comfile)", LR"(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa)", LR"(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors)", LR"(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider)", LR"(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class)", LR"(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders)", LR"(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server)", LR"(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager)", LR"(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services)", LR"(HKEY_LOCAL_MACHINE\Software\Classes\piffile)", LR"(HKEY_LOCAL_MACHINE\Software\Classes\htafile)", LR"(HKEY_LOCAL_MACHINE\Software\Classes\exefile)", LR"(HKEY_LOCAL_MACHINE\Software\Classes\comfile)", LR"(HKEY_LOCAL_MACHINE\Software\Classes\CLSID)", LR"(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run)", LR"(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad)", LR"(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer)", LR"(HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run)", LR"((HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components)", LR"(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows)", LR"(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options)", LR"(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Aedebug)", LR"(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon)" }' tag-id="2" tag-name="PredefinedKeyPaths"/> IoC tasks that are configured to scan other branches of the registry will not return any results.

Sometimes you may need to add a particular site\domain to an exclusions list of Traffic Security. Unfortunately, at current moment KSWS console allows us to make exclusions ONLY for Ports, IP-addresses, and Processes: But we have ability to make site and domain exclusions for Traffic Security via registry workaround. To implement workaround, we need to create and fill following REG_MULTI_SZ key: [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\WSEE\11.0\Environment\ICAP\IgnoreDomains] To make changes in this hive, you can add necessary permissions to your account OR you can run regedit in SYSTEM context (psexec -s -i regedit.exe). Important Besides required domain names, we recommend to add the following default list of names to avoid breaking of Windows Updates and KSWS activation functionality: *.data.microsoft.com *.update.microsoft.com *.kaspersky.com *.rds.amazonaws.com *.s3.amazonaws.com *.blob.core.windows.net *.database.windows.net

Prerequisetes: Supported vSphere by Kaspersky Agentless solution Usage of NSX version 3.2+ Deployed Kaspersky Agentless 6.1 Antivirus or/and Network Attack Blocker Appliance Problem Anew registration and Kaspersky Agentless 6.1 Antivirus or/and Network Attack Blocker Appliance deployment completes successfully. By attempt to create Service Profile for Kaspersky Agentless 6.1 Antivirus or/and Network Attack Blocker fails with error AntiVirus and Network Attack service registration might fail with the error "Service Definition id <ID> <Kaspersky Component> not found in MP Root cause NSX-T does not delete service references of Kaspersky Agentless 6.1 Antivirus or/and Network Attack Blocker Appliance Solution Through terminal like putty you need access to NSX-T appliacnce and launch the command curl -kG https://admin:<PASSWORD>@<nsx-t address>/policy/api/v1/infra/service-references The path value should be remembered for Kaspersky File Antimalware Protection and for Kaspersky Network Protection Delete service reference by path value by launching the command curl -kX DELETE https://admin:<PASSWORD>@<nsx-t address>/policy/api/v1/<value of path> After it delete previously created profile service for Kaspersky Agentless 6.1 Antivirus or/and Network Attack Blocker and create it anew

а какого именно прояснения вы хотите? Почему о несовместимости стали писать именно сейчас? Можете задать этот вопрос в ТП. Ответ ТП на вопрос почему именно Adguard в списке несовместимых вам выше привели. Причем, как следует из базы знаний Adguard, они и не отрицают существования проблем.

Problem Description Unexpectedly it can be observed that KSV AL 6.1 starts to be unavailable in Kaspersky Security Center as shown on the screenshot. Root cause The most probable cause of this issue is expired Kaspersky Security Certificate and new generated one is not transferred to KSV AL 6.1. KSV AL 6.1 does not have functionality to automatically update certificate from Kaspersky Security Center. Workaround The script klmover should be launched on KSV AL 6.1 to reconnect to the Kaspersky Security Center. This script performs some steps, including a certificate update. The script resides in /opt/kaspersky/klnagent64/bin.

There is an example of a step-by-step instruction to configure Single-Sign-On (SSO) for KATA 4.1/5+/6+ into HOME.LAB domain. Prerequisites Deployed Central Node Server Name should be FQDN. (In current case FQDN name of Central Node - kata-cn.home.lab) It can be checked via Settings/Network Settings of Central Node. A and PTR record should be set for Central Node in DNS. Domain User Account should be created to set up Kerberos authentication by means of keytab file (in current case Domain User Account is kata-sign-on). AES256-SHA1 encryption algorithm should be enabled into created Domain User Account. Step-by-step guide to create keytab file On Domain Controller: Launch CMD As Administrator Execute the following command to create keytab file C:\Windows\system32\ktpass.exe -princ HTTP/kata-cn.home.lab@HOME.LAB -mapuser kata-sing-on@HOME.LAB -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * +dumpsalt -out C:\TEMP\kata-sgn-on.keytab The utility requests the kata-sign-on user password when executing the command. The SPN of the selected server is added to the created keytab file. The generated salt is displayed on the screen: Hashing password with salt "<hash value>" For multiple Central Node servers you need to save "<hash value>" of hashing password to add an SPN for each subsequent Central Node servers further using ktpass.exe utility. On Central Node Web Interface Move to Settings/Users/Active Directory Integration Add the created keytab file: Keytab file status section contains File which contains SPN for this server The file contains section HTTP/*****@*****.tld Under Users tab click Add and select Domain user account. Set domain user as <username>@<domain> On client machine Host should be joined to the same domain. Domain user should be logged in with account added into the Central Node. Open Control Panel/Internet Options Click on Security and select Local Intranet Click on Sites and then on Advanced Add FQDN of central node - kata-cn.home.lab Close windows: Launch Web Browser and access to Web Interface of the Central Node https://kata-cn.home.lab:8443 and it should be opened without asking any Login/Password.

You may want to have full certificate chain for KATA Web UI. Here's how to do it. Step-by-step guide Preparing the certificate chain for use in nginx_gateway configuration We start with full certificate chain in familiar form. Please note that certificate chain should contain desired intermediate authorities' public keys. Do not add private key to the chain. First of all, we transfer it to the Central Node. It's recommended to do all further actions on Central Node, as in different *nix environments further steps may give different result. To use it for product configuration, we should convert it to format, used by etcd. Note that certificate is in one line, and that line breaks (CRLF) are replaced by \n symbols. So that's what we should do with our certifciate: add \n to the end of each line: sed 's/$/\\n/' < cert.json > cert_n.json Remove line breaks: tr -d '\n' < cert_n.json > cert_oneline.json Now, certificate chain is ready to be used in nginx_gateway configuration. Importing the prepared certificate chain to nginx_gateway The most convenient way is to first export nginx_gateway configuration to JSON format: apt-settings-manager get /configuration/nginx_gateway | python -m json.tool > /tmp/nginx_gateway Now, find the place where certificate is located and replace it with created certificate chain. Import the configuration back: apt-settings-manager set /configuration/nginx_gateway @/tmp/nginx_gateway And that's it, now browsers will receive full certificate chain for KATA Web UI.

In EDR Security officer can create a hash-based prevention rule for workstation. Here's the list of activities to which prevention rules apply: Agent should control and prevent read access of the following file formats by the following apps: App: winword.exe wordpad.exe excel.exe powerpnt.exe acrord32.exe Microsoft Edge Google Chrome File formats: .rtf .doc .dot .docm .docx .dotx .dotm .docb .docx .rtf .xls .xlt .xlm .xlsx .xlsm .xltx .xltm .xlsb .xla .xlam .xll .xlw .ppt .pot .pps .pptx .pptm .potx .potm .ppam .ppsx .ppsm .sldx .sldm .pdf Agent should prevent script started by following interpreters: cmd.exe reg.exe regedit.exe regedt32.exe cscript.exe wscript.exe mmc.exe msiexec.exe mshta.exe rundll32.exe runlegacycplelevated.exe control.exe explorer.exe regsvr32.exe wwahost.exe powershell.exe perl.exe ( * ) hh.exe ( * ) msbuild.exe ( * ) python.exe ( * ) InstallUtil.exe RegSvcs.exe RegAsm.exe ruby.exe rubyw.exe autoit.exe AutoHotkey.exe AutoHotkeyU32.exe AutoHotkeyA32.exe AutoHotkeyU64.exe AutoHotkeyA64.exe

Ну тогда ожидайте ясности.)

Installation of affected products fails if it can't disable Windows Defender. To do this, during the installation the installer tries to edit edit local policy settings via Windows APIs, which load cached machine local policy from %windir%\System32\GroupPolicy folder, make changes and save back to the file system. If mentioned operations with local policy fail, installation fails with MSI error 1603, MSI log contains following errors: DisableWindowsDefender: Error: (_com_error): OpenLocalMachineGPO(GPO_OPEN_LOAD_REGISTRY) failed code=<some error code> OR DisableWindowsDefender: Error: (_com_error): pGroupPolicy->Save failed code=<some error code> KESS 3.1+ and KICS 3.0+ have a setup parameter SKIP_DISABLE_DEFENDER=1, which forces installation to skip the disabling Windows Defender operation: msiexec /i <product msi file> SKIP_DISABLE_DEFENDER=1 /L*V C:\installation.log With SKIP_DISABLE_DEFENDER=1 installation will not touch local group policy files, therefore you have to disable Windows Defender yourself.

Problem kesl-control --app-info outputs the following error: en File Threat Protection: Unavailable due to file interceptor driver error One of the most common root causes is Fanotify is disabled (or KESL could not access it) and kernel module compilation also failed. A special utility can be used for this directly on the affected machine with KESL installed: sudo /opt/kaspersky/kesl/bin/fanotify-checker && echo fanotify: supported || echo fanotify: unsupported In case, an operating system does not support Fanotify technology, it is required to install some additional packages and build a kernel module for KESL. A part of required packages may be found on the Hardware and software requirements section of the product documentation, for example for KESL 11.3; In addition to this, new packages kernel-headers-XXX and kernel-devel-XXX must be installed, where XXX - an operating system kernel version. Use the following scenario to install those packages and build a kernel module for KESL: for RHEL based OS: yum install kernel-headers-`uname -r` kernel-devel-`uname -r` for Debian based OS: apt install linux-headers-`uname -r` Reboot the system; Run the post-install script: /opt/kaspersky/kesl/bin/kesl-setup.pl --build | tee /tmp/buildLog And reboot the service: systemctl restart kesl-supervisor.service In case of any further issues, please contact Kaspersky Support.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Which task is responsible for downloading third party Application updates? Updates metadata is downloaded by Download Updates to the repository task. Updates themselves are downloaded by Install updates and fix Vulnerability task. What is a source folder containing the third party application updates on the administration server? 3rd party updates are downloaded into the folder C:\ProgramData\KasperskyLab\adminkit\1093\.working\wusfiles, then copied to C:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer to transfer to the hosts. If I run Install updates and fix Vulnerability for Google Chrome as example, all versions of Chrome will be upgraded to the latest release? Which means after a while of running task I will get one version of Google Chrome on all PCs? It depends on settings specified in the install task. For example, if you choose to install all applicable updates, Google Chrome will be updated on all hosts to the latest version. If I have a Connection Gateway, the devices outside the network and connected to the KSC through Connection Gateway will update through KSC or Connection Gateway? Firstly, updates will be transferred to Connection Gateway, then distributed from Connection Gateway to the hosts. So if host needs update which is already on the Connection Gateway, KSC will not distribute files again. CG will distribute them to the hosts. Is it possible for the PCs outside the network and connected through Connection Gateway to use the internet as an update source for third party application? Indeed. 1. On the host with the KSC server, create the following registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1093\1.0.0.0\ServerFlags] "KLSRV_SYSPATCH_DOWNLOAD_PATCHES_LOCALLY"=dword:00000001 2. Recreate the Install updates and fix vulnerabilities task.

To achieve this goal for Kaspersky Agentless 6.1 solution you should: Shutdown Kaspersky Agentless Appliance Disable the option "Сonfigure/vApp Options/edit/OVF Details/OVF environment transport/ISO image" for Kaspersky Agentless Appliance Launch Kaspersky Agentless Appliance

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. KSC13 introduced a feature that limits the frequent publication of events. In the event that the event storage overflows on the Server, the most common event in the storage is calculated, and such events are blocked when published on hosts. Problem: Machines have status "Virus scan wasn't performed for a long time" but the "Virus scan" task was started recently. Events that occur on local hosts (KES) are not displayed on the administration server (KSC). Cause: KSC 13 has a new functionality to limit the storage of frequent events. When the set event storage limit on the Administration Server is reached, the most frequently occurring event (in the database) is calculated and added to the block-list. After that, the events that occur and are displayed on the KES hosts, when received by the server, will be blocked and will not appear in the storage. This gives rise to a problem with updating host statuses on server - since the event was not written to the database, then server-side processing does not occur and the host in the Managed group does not receive the status update. Solution: Since this problem is directly related to the storage and publication of events, it is first of all necessary to find out what causes the event store to overflow: Find out which events appeared in the block list of the Administration Server ("Managing frequent events blocking" article). After finding out the cause of the overflow, the following can be done to fix the problem: Increase the number of events stored on the server database ("Setting the maximum number of events in the event repository") Set up event logging by deleting irrelevant ones and thereby reducing the flow of events stored on the server. Clear the block list for events on the administration server ("Removing blocking of frequent events")

How to add second license to the workspace There is no possible way to add second license to KES Cloud. License will be replaced. Kindly merge the license count to one and add it. Email notification about outdated databases There is no separate email notification settings for "database outdated" event. License receiving after installation After installation of KES, device can receive a license even without an owner. License applying can take some time due to the attempt of synchronization with KES Cloud server. Standard sync period is 15 mins. KES Cloud email notifications in cumulative emails When you have a lot of notifications, they will be sent as cumulative email. This is by design and expected behavior. These emails contains information about count of emails with different levels of severity. KES Cloud workspace deletion after license expiration If license expires, workspace without active license will be deleted. If commercial license was used - after 90 days. If trial license was used - after 30 days. Reports' time zone differences Time of report creation depends on browser localization. Events in report opened in Cloud console also depend on browser localization. Events in report exported in .pdf - UTC +0.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. These errors appear when the remote installation task of NAgent or KES with NAgent was created with the Assign package installation in Active Directory group policies option selected. At the first startup they start under the account specified in the New Task Wizard. If that user has access for creating domain policies and groups, the task will be completed successfully, and "GPO" and "Security Group" with target computers will be created on domain controller. When deleting this task, the user credentials entered in the task settings are used. If they are changed, or if the task is being deleted by another user who does not have sufficient rights in the domain, or if the user who created the task has lost its rights, the errors will occur: Error in EventLog Failed to delete group policy object 'LDAP://CN={1DEE8F3C-F36F-4FF7-8E18-01C83D482A44},CN=Policies,CN=System,DC=bn,DC=loc': 'System error 0x52E (The user name or password is incorrect.)' Error in EventLog Failed to delete group policy object 'LDAP://CN={1DEE8F3C-F36F-4FF7-8E18-01C83D482A44},CN=Policies,CN=System,DC=bn,DC=loc': 'Access is denied.' To fix it, you need to change the user in the task settings to the one with sufficient rights to delete "GPO" and "Security Group" on domain controller.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This is a small guide about Chrome Developer tools for collecting logs. 1. Open the Chrome menu and select More tools → Developer tools or press Ctrl+Shift+I. 2. Temporarily ignore the opened sidebar and open KSC Web Console. 3. Sign in using correct credentials. Wait until the page loads. If the loading of the page takes too long, wait a minute before moving on to the next step. 4. On the DevTool sidebar, go to the Network tab. Press the Export HAR... button and save the file. 5. Also, you may save the log on the Console tab. Just right-click on a clear space and select Save as...

You may not want to use all 3 or 4 (depends on settings at web set) VMs in KATA 4.1/5.0 SB. If one of the VM images is not installed, there will be SB self-diagnostics error at the KATA web-interface. Usually it's WinXP image that gets excluded. This article is applicable only to KATA 4.1/5.0 Images names for 4.1: CentOS7_x64, WinXP, Win7_x64, Win10_x64 Images names for 5.0: Astra_x64, CentOS7_x64, WinXP, Win7_x64, Win10_x64 KATA 4.1 sets KATA 5.0 sets Prior to do steps below ensure that this option is enabled (under Security officer) Step-by-step guide Execute the following command under root (this is example, you can choose VM images as it suits you) For 4.1 apt-settings-manager set --merge /configuration/kata_scanner '{"sandbox": {"images": ["CentOS7_x64", "Win10_x64"]}}' For 5.0 console-settings-updater set --merge /kata/configuration/product/kata_scanner '{"sandbox": {"images": ["Astra_x64", "Win7_x64", "Win10_x64"]}}' Check that the settings have been applied: SB self-diagnostics error at KATA web-interface should disappear. Check that SB processing works fine. Consequences You will see error under Administrator: and under Security officer (in KATA 5.0) No need to worry, as the workaround described has consequences.

It is impossible to detect .bat and .cmd files by format, because these are regular plain text files. If you want to block attachments, you can only configure detection of these files by masks: *.bat, *.cmd. Please check the section "Configuring the general settings and conditions of rules" of the sites https://support.kaspersky.com/KS4Exchange/9.6/en-US/166855.htm Add a condition for the Attachment filtering rule and select File name mask instead of File format and then add *.bat or *.cmd to the list.