All Activity

Collect script output is a must for most KATA-related issues and questions. Which information? Which file? How to find/interpret? Example КАТА version and role: CN/PCN/SCN/Sensor /config/apt-va File contains the version and role in human-readable form. Also, you can see if the node was upgraded from previous KATA versions in 'migrate' line Primary CN [product] name=kata-cn title=Kaspersky Anti Targeted Attack Platform version=3.5.0-1269 release=release master = yes sensor = yes timestamp = 1568700994 migrate = cn_role = pcn Standalone CN [product] name=kata-cn title=Kaspersky Anti Targeted Attack Platform version=3.6.1-713 release=release master = yes sensor = yes timestamp =1572445307.01 migrate = cn_role = cn Sensor node [product] name=kata-cn title=Kaspersky Anti Targeted Attack Platform version=3.6.1-713 release=release master = no sensor = yes timestamp =1583845362.98 migrate = cn_role = Virtual or hardware? /environment/dmesg.txt OR /var/log/messages OR /var/log/boot.log Search for "DMI" entries in the file. Physical server [ 0.000000] DMI: HPE ProLiant DL560 Gen10/ProLiant DL560 Gen10, BIOS U34 06/20/2018 Virtual server [ 0.000000] DMI: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 04/05/2016 CPU /environment/cpuinfo.txt Scroll to the bottom of the file. Each "processor" listed is not a physical core, but virtual "thread", so, i.e. 8-physical core CPU with hyper-threading will have 16 CPUs in the file. Keep in mind that CPUs are counted from 0, so for 16-thread CPU last entry will have number 15. processor : 15 vendor_id : GenuineIntel cpu family : 6 model : 79 model name : Intel(R) Xeon(R) Platinum 8158 CPU @ 3.00GHz stepping : 0 microcode : 0x2000050 cpu MHz : 2992.968 cache size : 25344 KB physical id : 0 siblings : 16 core id : 15 cpu cores : 16 apicid : 15 initial apicid : 15 fpu : yes fpu_exception : yes cpuid level : 13 wp : yes flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts nopl xtopology tsc_reliable nonstop_tsc eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch ibrs ibpb stibp fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 invpcid rtm rdseed adx smap xsaveopt arat spec_ctrl intel_stibp arch_capabilities bogomips : 5985.93 clflush size : 64 cache_alignment : 64 address sizes : 43 bits physical, 48 bits virtual power management: RAM /environment/memory.txt File shows free command output. Values are in megabytes, pay attention to 'total' and 'available' columns. NB! Ignore 'free' column: despite of it's name, it doesn't actually show free RAM, 'available' column does it. total used free shared buff/cache available Mem: 197308 63869 3634 6738 129804 125558 Swap: 0 0 0 HDD /environment/hdd.txt Pay attention to partitions /dev/sda* and /dev/sdb*. If /dev/sdb* partition is present, you are dealing with two-disk installation, otherwise, it's one-disk installation. NB! Always check HDD partitions size and available free space! KATA needs a LOT of disk space to work correctly. Most important partitions are: /dev/sda4 1.2T 894G 224G 80% /data ← Used for processing queues and quarantine, main partition for KATA /dev/sdb1 2.7T 1.4T 1.3T 52% /data/var/lib/kaspersky/storage ← Used for EDR data: (telemetry from Endpoint Sensors) Filesystem Size Used Avail Use% Mounted on /dev/sda3 367G 14G 335G 4% / devtmpfs 126G 0 126G 0% /dev tmpfs 126G 252K 126G 1% /dev/shm tmpfs 126G 4.1G 122G 4% /run tmpfs 126G 0 126G 0% /sys/fs/cgroup /dev/sda2 232M 32M 189M 15% /boot /dev/sda1 237M 5.5M 232M 3% /boot/efi /dev/sda4 1.5T 435G 955G 32% /data /dev/sdb1 2.7T 1.4T 1.3T 52% /data/var/lib/kaspersky/storage tmpfs 26G 0 26G 0% /run/user/998 tmpfs 26G 0 26G 0% /run/user/1002 tmpfs 26G 0 26G 0% /run/user/1001 DNS name /environment/hostname.txt File contains exactly the hostname of the machine. kata-cn IP address /environment/ipa.txt /environment/ifconfig.txt Both files contain info about network interfaces and assigned IP addresses. ifconfig command is considered obsolete by community, but it can be useful: it helps to recognize SPAN interfaces. SPAN interfaces usually don't have IP address assigned, but have a lot of traffic. Also, SPAN interfaces always are in promiscuous mode: <UP,BROADCAST,RUNNING,PROMISC,MULTICAST> ipa.txt 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:50:56:9f:0e:77 brd ff:ff:ff:ff:ff:ff inet 10.200.178.85/23 brd 10.200.179.255 scope global ens192 valid_lft forever preferred_lft forever inet6 fe80::250:56ff:fe9f:e77/64 scope link valid_lft forever preferred_lft forever 3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:50:56:9f:db:4d brd ff:ff:ff:ff:ff:ff inet6 fe80::250:56ff:fe9f:db4d/64 scope link valid_lft forever preferred_lft forever ifconfig.txt ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.200.178.85 netmask 255.255.254.0 broadcast 10.200.179.255 inet6 fe80::250:56ff:fe9f:e77 prefixlen 64 scopeid 0x20<link> ether 00:50:56:9f:0e:77 txqueuelen 1000 (Ethernet) RX packets 604911116 bytes 747444631331 (696.1 GiB) RX errors 0 dropped 26 overruns 0 frame 0 TX packets 368814032 bytes 353073760300 (328.8 GiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet6 fe80::250:56ff:fe9f:db4d prefixlen 64 scopeid 0x20<link> ether 00:50:56:9f:db:4d txqueuelen 1000 (Ethernet) RX packets 437 bytes 135823 (132.6 KiB) RX errors 0 dropped 1125 overruns 0 frame 0 TX packets 8 bytes 656 (656.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 19418334689 bytes 12053991732736 (10.9 TiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 19418334689 bytes 12053991732736 (10.9 TiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 SPAN interface eno2: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500 inet6 fe80::42f2:e9ff:fecc:4343 prefixlen 64 scopeid 0x20<link> ether 40:f2:e9:cc:43:43 txqueuelen 1000 (Ethernet) RX packets 122540697216 bytes 104768065608116 (95.2 TiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 7 bytes 586 (586.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 device memory 0xbd5a0000-bd5bffff Sandbox server information /config/apt-agents-id Bottom part of the file contains info about connected sandbox nodes: IP addresses, cert fingerprints and states: Sandbox may be connected, but disabled. [sandbox_node.sandbox1] host = 172.16.0.151 enable = yes fingerprint = C0:15:18:C8:11:46:11:BC:23:50:16:95:10:2D:FF:FA:4E:06:21:90:20:AA:CC:36:53:27:B8:BF:CF:5A:1A:9C Enabled integrations(SPAN, ICAP, etc) /config/preprocessor.conf Preprocessor is the component responsible for main KATA integrations: SPAN, SMTP, ICAP, POP3. You should look for corresponding section in preprocessor.conf: SPAN: [traffic] SMTP: [smtp_proxy] ICAP: [icap] POP3: [pop3] For each section, there's a line defining whether this integration is enabled: enable=yes/no Other integrations like KSMG/KLMS/API aren't easy to check by collect script output Only SPAN is enabled [app] use_syslog=no trace_level=ERR cache_socket=localhost:6379 collector_url=http://centralnode:8081/apt/collector license_remote=no #this section applicable for sections: pop3, smtp_proxy and for traffic section but only for smtp preprocessor [mail] extract_urls=yes #file extensions of attachments which format recognizer is not used for file_extensions=dll,exe,com,java,js,jse,wsf,wsh,vbs,vbe,msi,deb,rpm,apk,zip,7z,rar,iso,cab,jar,bz2,gz,tgz,ace,arj,dmg,xsr,rtf,pdf,msg,eml,vsd,vdx,xps,xsn,odt,ods,odp,sxw,doc,dot,docx,docb,dotx,docm,dotm,xls,xlt,xlm,xla,xll,xlw,xlsx,xltx,xlsm,xltm,xlam,xlsb,ppt,pot,pps,ppam,sldx,sldm,thmx,pptx,potx,pptm,potm,ppsx,ppsm,pub,html,htm,hta,swf,jpg,jpeg,gif,png,tiff,chm,mht,cpl,ocx,pif,scr,bat,cmd,ps1,lnk,reg,msu,msp,z [traffic] enable=yes network_interfaces=ens6f0,ens6f1,ens5f1,ens5f0,ens5f3,ens5f2,eno1,ens3f1,ens3f0 pcap_snaplen=1600 pcap_cores= pcap_filter= checksum_validation=no buffer_size_limit=4096 tcp_threads_number=16 enable_dns=yes enable_http=yes enable_ftp=yes enable_ssl=yes enable_smtp=yes ftp_data_expired_timeout_in_seconds=60 ftp_data_supposed_max_size_in_bytes=10485760 [ksn] enable=yes #possible values of type are KSN or KPSN type=KSN timeout=500 non_dl_formats=GeneralHtml,GeneralTxt,ExecutableJs,ImageGif,ImageJpeg,ImagePng,ArchiveCab ksn_adapter_interfaces= # Change cache entries only you know what are doing. # 0 - disables cache cache_entries=3600100 request_threads=4 [snmp] enable=yes master_agent_address=tcp:localhost:705 ping_interval_in_seconds=15 [icap] enable=no listen_interfaces=ens3f3:1344,ens3f2:1344,eno2:1344 allow204=yes max_connections=5000 respmod_url=av/respmod header_client_ip=X-Client-IP header_client_port=X-Client-Port extract_user=no header_username=X-Authenticated-User base64_decode_username=yes [filter] file_size_limit=100000000 dns_lookup_enable=yes dns_timeout=500 html_filter=/var/opt/kaspersky/apt/update/bases/htmlre.txt [snort] enable=yes alerts_socket=/var/log/kaspersky/snort/snort_alert [pop3] enable=no server= port= user= password= cipher_list=ALL:!aNULL:!eNULL:!LOW:!EXP:!MD5:!DSS:!KRB5:!PSK:!RC4:!SRP:!CAMELLIA:!IDEA:!SEED:!3DES:@STRENGTH:!kDH:!kECDH encrypted=yes check_interval_in_seconds=2 accept_any_certificates=no accept_untrusted_self_signed_certificate=yes process_msgs_per_session=3000 request_timeout_in_seconds=60 [smtp_proxy] enable=no max_threads=20 socket_in=inet:10025@127.0.0.1 #RFC 1123 suggests 10 min timeout_in_seconds=600 [stat_engine] enable=yes db=kafka:centralnode:9092?topic=network oltp_bulk_size=1000 subnets= taa_skip_header_proxy_auth=status-code: 407 oltp_raw_data_limit=0 [proxy] enable=no bypass_local_addresses=yes host= port= user= password= Connected Endpoint Sensors /config/aapt_info You can find the beginning of Endpoint Sensors list by searching for 'Agent Status'. To find the number of connected sensors, you need to calculate lines; but it's not easy to automate it as the lines don't have obvious unique grep-able attribute. However, using 'Microsoft Windows' will give you enough precision(it will give a few extra matches from last detections info). Sample entry for 1 agent ae5290b1-c490-404b-beec-ee553d5d64ee | DXB00079395.*.corp | 2019-09-24 08:41:51.579011 | 10.56.14.170 | 3.5.435.0 | 2019-09-23 03:21:26.883616 | 2019-09-24 03:15:28.642816 | t | Microsoft Windows 10 | | | 2346c7a2-a395-4dc4-bc5c-ea99fa488386 | 6 | 568b01b8-4497-decf-7f8c-671bbf8ad8cc KSN/KPSN connection /config/preprocessor.conf From collect script, you can only determine whether KATA is set up to receive verdicts from the cloud, and understand which sort of cloud it is - global KSN or private KPSN. Look for [ksn] section in preprocessor.conf, it's pretty self-explanatory. Keep in mind that you have a tool which allows you to [ksn] enable=yes #possible values of type are KSN or KPSN type=KSN

У той или иной локации может быть один, а может быть и несколько IP. Все, кто подключаются к той или иной локации могут иметь один IP, а могут и несколько разных.

@IT ARB, добрый день. Этот же момент проверьте: https://forum.kaspersky.com/topic/kes-for-android-50554/#findComment-186705

на каждый аккаунт свой ип адрес? или у двух аккаунтов может быть один адрес?

Можно ежедневно скачивать новый образ KRD 2025 , в нем будут свежие юазы

Hello @jjjhjkhjkhkjh, Welcome! Yes, as a *standard* - Kaspersky employs various features to do this, for example: Signature-based detection Behavioral analysis Cloud-based protection (KSN) Real-time protection, However, IF (you) believe (your) phone has been hacked, infected OR manipulated - for a *definitive-answer* to the *generic-question* - please submit a request to Kaspersky Customer Service, https://support.kaspersky.com/b2c/global#contacts - select Email & fill in the template as follows; the KSC Team will work with Kaspersky experts & you to determine the RC of the issue; Kaspersky may request logs, traces & other data, they will guide you: Please share the outcome, with the Community, when it's available? Thank you🙏 Flood🐳+🐋

@tistou77 Bonjour, Sans nouvelles bases de données disponibles une MAJ manuelle s'affiche dans les rapports

Добрый день, У нас нет услуги динамического\статического IP адреса.

Ну а чтоб сервер при каждом новом подключении выдавал адрес, никак?)

1. Я подключаюсь к провайдеру с помощью PPoE. Для обновления баз требуется подключение к интернету. Роутера у меня нет, компьютер подключен напрямую по кабелю. Пользовался Kaspersky Rescue Disk 18.0.11.0(d), там есть настройка PPoЕ. Есть возможность обновить базы. В Kaspersky Rescue Disk 24.0.7.0 не смог найти настройку PPoЕ. Видимо ее оттуда убрали по непонятной причине. Даже сделал отдельную флешку для KRD с persistent-разделом. Но не все так просто - не могу обновить базы. Вопрос к разработчикам. Есть возможность вернуть настройку PPoE в KRD 24.0.7.0? 2. Ну и второй вопрос. KRD лежит на флешке в распакованном виде и загружается с помощью GRUB. В MENU.LST прописано следующее: title 10 - Kaspersky Rescue Disk 2018 set _path= /iso/Antivir/krd2018 set lang=ru # en=English; ru=Russian set _kernel=k-x86_64 checkrange 0,1 is64bit && set _kernel=k-x86 find --set-root %_path%/boot/grub/%_kernel% kernel %_path%/boot/grub/%_kernel% net.ifnames=0 lang=%lang% dostartx trace subdir=%_path%/data initrd %_path%/boot/grub/initrd.xz boot Можно ли сделать так, чтобы обновление баз качались на флешку?

Добрый день. Обратитесь в техподдержку.

Добрый день. IP адрес выдает сервер. Клиент никак на это влиять не может.

День добрый. Выполняю переподключение, а ip адрес не меняется, возможно как то менять ип адрес после каждого переподключения?

еще добавлю, что внутри сети домен (Active Directory) называется abc.bbb.ru и соответственно сервер first.abc.bbb.ru а домен для сайта, где я добавлял A запись aaa.bbb.ru, DNS записи aaa.bbb.ru нет. Не могут проблемы быть из-за этого ?

DNS запись добавилась. Сервер администрирования условно называется FIRST DNS запись first.aaa.bbb.ru На планшете захожу через браузер на FIRST.aaa.bbb.ru:13292 и на роутере вижу что пакеты проходят на сервер. Но касперский на планшете так и не видит сервер и требует интернет соединение.

If an Android malicious program uses malicious means to obtain root privileges on a normal device, can Kaspersky detect and eliminate it without obtaining root privileges?

Welcome to Kaspersky Community. I just sent your URL to U. analysts, waiting for final verdict.

Добры день. А мне наоборот нужно. каждый раз новый ip адрес, например разорвал соединение - новый адресс. такое возможно?

В цифровую эпоху пользователи и компании всё чаще подвергаются многочисленным опасностям в Интернете, таким как вирусы, программы-вымогатели, фишинг и несанкционированный доступ. Kaspersky Internet Security выделяется как комплексное решение, предлагающее многоуровневую защиту для обеспечения безопасности данных и конфиденциальности пользователей. и мне также интересно, используют ли они технологию искусственного интеллекта или чат GPT... для лучшего анализа и интеграции для пользователей.

Добрый день, добавил A запись с именем сервера в DNS. Подожду синхронизации серверов, проверю.

Hello, for some time now I have been getting reports that our users are getting warnings about our domain from Kaspersky Antivirus. My website has been running for 1.5+ years with a great reputation and thousands of customers. We have 24/7 live chat support and are in good standing security wise and with our community. After checking VirusTotal, I see that Kaspersky has marked us as phishing. It is the only security vendor out of many on VirusTotal that has us marked as phishing The domain is: https:// joylink . io/ I would like to request a re-evaluation. Best regards, Erik S.

Добрый день! Все нажатия в приложении на значки копирования не работают. Ничего не копируется. Cmnd+C также не работает. Cmnd+X при этом вырезает и копирует :)

Gracias por su mensaje. Puede dirigirse a la tienda virtual de Kaspersky: https://latam.kaspersky.com sección "Empresas" y elegir según la cantidad de computadores que desea proteger, la opción correspondiente. Si lo que necesita es información de distribuidores autorizados, le invitamos a usar, desde su navegador de preferencia, en el motor de búsqueda, estableciendo: "distribuidores kaspersky Venezuela". Aparecerán en los resultados algunos distribuidores y socios autorizados para vender los productos Kaspersky en el territorio de Venezuela.

Hola a todos en la comunidad del foro, Espero que estén bien. Les escribo para pedirles ayuda u orientación con un problema que tengo al intentar adquirir una solución de seguridad de Kaspersky para mi pequeña empresa (PYME). Después de evaluar varias opciones, decidimos que los productos de Kaspersky son los más adecuados para nuestras necesidades. Sin embargo, me he topado con un obstáculo insalvable en el proceso de compra directa en la web oficial. Al llegar al paso de verificación de la empresa, el sistema me pide que seleccione mi país en una lista desplegable, pero Venezuela no está entre las opciones. He revisado cuidadosamente y no parece haber ninguna alternativa ni método de contacto directo en esa sección que me permita eludir este requisito o validar mi empresa de otra manera. Estoy muy interesado en la licencia, pero este paso me impide continuar. Me gustaría saber si alguno de ustedes ha pasado por una situación similar o si conocen alguna solución. Por ejemplo: ¿Existe alguna forma de gestionar la compra directamente con un representante de ventas que pueda procesar el pedido manualmente? ¿Alguien de otro país no listado ha logrado completar la compra de alguna manera? Agradezco de antemano cualquier información, consejo o experiencia que puedas compartir.