Jump to content
Kaspersky Support Forum

All Activity

This stream auto-updates

  1. Past hour
  2. AlexeyK

    Adguard

    AlexeyK replied to Authority's topic in Kaspersky: Basic, Standard, Plus, Premium

    Видимо, речь об этой теме. Судя по ответам, вопрос у разработчика AG больше по самому уведомлению, которое не скрывается и периодически о себе напоминает, чем по существу несовместимости.
  3. svc_kms started following KWTS: Send only detects to external syslog server [Kaspersky Web Traffic Security] , KATA updater/KSN connection errors if using proxy server on TCP ports (8080, 8090, 8091) [KATA/KEDRE] , VMWare guest BSODs with a driver related stop code after installing or updating KES [KES for Windows] and 7 others
  4. svc_kms
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem Description, Symptoms & Impact It is not possible to use a proxy server for KATA 5.0 and/or KATA 5.1 CN on TCP ports 8080, 8090 or 8091. If you will configure in KATA 5.0/5.1 proxy server connection settings using one of those ports, then such configuration will result in KATA update task failure and KSN connection errors right after those settings will be applied. This happens due to the fact, that KATA uses ports 8080, 8090 and 8091 for it's internal services and there are preconfigured default iptable rules that prevent incoming and outgoing connection on those ports for external hosts outside of the KATA cluster, which in turn results in connection errors if those ports are also used by the product for outgoing connections to a proxy server. Diagnostics It can be easily confirmed if a KATA server will be facing those updater and KSN issues, by either checking the current proxy server configuration in the product's web interface: if either of the listed ports 8080, 8090 or 8091 is used, then the KATA server is probably facing the issue. Or alternatively you can run the iptables -nvL DOCKER-USER command and check if the number of the rejected packages in the corresponding rules for ports 8080, 8090 and 8091 steadily increases upon running update task in KATA: Workaround & Solution To avoid this issue use one of the following 2 options: Do not use proxy server for KATA connections, configure direct internet connection for KATA CN nodes. Use a proxy server on a different port, for example port 3128 is quite standard option in such cases.
  5. svc_kms
    Description VMWare guest using Kaspersky products hanging or crashing due to driver conflicts between drivers used by VMWare NSX (vnetWFP.sys, previously vnetflt.sys) and Network Threat Protection component. This problem is known to happen with following versions of KES and VMware Tools: KES 11.6 with VMWare Tools 10.0.9 KES 11.6 and 11.7 with VMWare Tools 11.3.5 KES 12 with VMWare Tools 10.1.7 Troubleshooting steps Update VMWare Tools Sometimes there may be a bug in the driver built into VMWare Tools, and ESXi updates its images only through manually installed patches, and it compares installed version only to the version in it's storage, so even if ESXi says that the VM has current version of VMWare Tools, it may actually be outdated. Because of that, a new VM may run with outdated drivers. ESXi and VMWare Tools compatibility matrix: https://interopmatrix.vmware.com/Interoperability?col=1,&row=39,&isHidePatch=true&isHideGenSupported=false&isHideTechSupported=false&isHideCompatible=false&isHideNTCompatible=false&isHideIncompatible=false&isHideNotSupported=true&isCollection=false Latest supported VMWare Tools version for ESXi 6.5 and 6.7: https://packages.vmware.com/tools/releases/12.1.5/windows/ VMWare Tools for ESXi 7.0 and newer: https://packages.vmware.com/tools/releases/latest/windows/ If that did not help, uninstall NSX Network Introspection drivers of VMWare Tools: https://kb.vmware.com/s/article/2149764 This is the driver that is causing the conflict on VMWare's side, therefore removing it will resolve the conflict and should resolve the issue. Next solution is temporary and should not be used in production for extended periods of time. Disable Network Threat Protection in KES settings or in the policy, if it's controlled by KSC. Network Threat Protection is using klwfp.sys driver, and that driver is causing the conflict with vnetWFP.sys. With that component turned off, the driver loads on startup, but doesn't do anything, avoiding conflict with vnetWFP in most cases. Open KES Window -> Settings -> Network Threat Protection -> switch Network Threat Protection off Open KES policy properties -> Essential Threat Protection -> Network Threat Protection -> Uncheck Network Threat Protection checkbox If nothing helps, submit the case to the Kaspersky support with traces, GSI report including Windows event logs and a full memory dump. Related Information How to collect KES traces: https://support.kaspersky.com/kes11/diagnostics/14364 How to collect a full memory dump: https://support.kaspersky.com/common/diagnostics/10659 Link to GSI: https://media.kaspersky.com/utilities/ConsumerUtilities/GSI-6.2.2.43.exe
  6. svc_kms
    Here's how to change web UI certificate for KATA SB. Create backup of original files with same rights as it was before (you can check them with ll /etc/nginx/ssl command) cp -p /etc/nginx/ssl/server.crt /etc/nginx/ssl/server.crt.orig cp -p /etc/nginx/ssl/server.key /etc/nginx/ssl/server.key.orig Replace original files cat my_cert.crt > /etc/nginx/ssl/server.crt cat my_cert.key > /etc/nginx/ssl/server.key Restart nginx service systemctl restart nginx.service Rights and owner of files should be the same ll /etc/nginx/ssl -rw-r----- 1 root klusers 1.5K Aug 11 2022 server.crt -rw------- 1 root root 1.7K Aug 11 2022 server.key
  7. svc_kms
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem Description, Symptoms & Impact When trying to activate KES with valid License for KATA EDR (License contains Licensing object 184), Activation Task results in error "Internal data incompatible with this application". Cause The KATA Built-In KES component EDR (KATA) responsible for integration is not installed on target machine. Diagnostics In KSC -> Application properties, Endpoint Detection and Response (KATA) component version is listed as <N/A>, "Not installed" may be masked with "Not supported by license". In registry, [HKEY_LOCAL_MACHINE\Software\Wow6432Node\KasperskyLab\\protected\KES.21.13\Installer\features] Key "AntiAPTFeature"=dword:00000001 is missing In logs: in *.SRV.log (trace file) line for bundles::BundlesControllerImpl::GetNotInstalledFeatures lists (1) and 1 is missing from bundles::InstalledFeaturesProvider::InstalledFeaturesProvider line 09:58:42.239 0x2bf4 INF bundles bundles::BundlesControllerImpl::GetNotInstalledFeatures Not installed features (1): 1 09:54:03.788 0x2050 INF bundles::InstalledFeaturesProvider::InstalledFeaturesProvider{ 3 (AVScannerAndCoreFeature) 0 (AdminKitConnectorFeature) 24 (AdvancedThreatProtectionFeature) 27 (AmsiFeature) 7 (ApplicationControlFeature) 17 (BehaviorDetectionFeature) 4 (CriticalScanTask) 23 (EssentialThreatProtectionFeature) 11 (ExploitPreventionFeature) 8 (FileThreatProtectionFeature) 19 (FirewallFeature) 5 (FullScanTask) 14 (NetworkThreatProtectionFeature) 12 (RemediationEngineFeature) 25 (SecurityControlsFeature) 18 (UpdaterTask) 22 (WholeProductFeature) } in *.SRV.log (trace file) for good machine bundles::InstalledFeaturesProvider::InstalledFeaturesProvider will list 1 (AntiAPTFeature) 08:14:31.733 0x1e30 INF bundles::InstalledFeaturesProvider::InstalledFeaturesProvider{ 3 (AVScannerAndCoreFeature) 0 (AdminKitConnectorFeature) 24 (AdvancedThreatProtectionFeature) 1 (AntiAPTFeature) 7 (ApplicationControlFeature) 15 (BadUSBAttackPreventionFeature) 17 (BehaviorDetectionFeature) 4 (CriticalScanTask) 6 (DeviceControlFeature) 23 (EssentialThreatProtectionFeature) 11 (ExploitPreventionFeature) 8 (FileThreatProtectionFeature) 5 (FullScanTask) 16 (MailThreatProtectionFeature) 14 (NetworkThreatProtectionFeature) 12 (RemediationEngineFeature) 25 (SecurityControlsFeature) 18 (UpdaterTask) 21 (WebControlFeature) 20 (WebThreatProtectionFeature) 22 (WholeProductFeature) } Solution NB! EDR Optimum, EDR Expert and EDR (KATA) components are not compatible with each other. Only one can be installed. Create Change Components Task for affected machines Execute Task Verify the component is installed. How to check that KES 'KATA' component is enabled, up and running 1) Let's check that component is enabled first In GSI > Registry > HKLM_Software_Wow6432Node_KasperskyLab.reg.txt > [HKEY_LOCAL_MACHINE\Software\Wow6432Node\KasperskyLab\\protected\KES.21.13\Installer\features] > "AntiAPTFeature"=dword:00000001 (should be like this) 2) Search in *.SRV.log (trace file) for bundles::InstalledFeaturesProvider::InstalledFeaturesProvider 08:14:31.733 0x1e30 INF bundles::InstalledFeaturesProvider::InstalledFeaturesProvider{ 3 (AVScannerAndCoreFeature) 0 (AdminKitConnectorFeature) 24 (AdvancedThreatProtectionFeature) 1 (AntiAPTFeature) 7 (ApplicationControlFeature) 15 (BadUSBAttackPreventionFeature) 17 (BehaviorDetectionFeature) 4 (CriticalScanTask) 6 (DeviceControlFeature) 23 (EssentialThreatProtectionFeature) 11 (ExploitPreventionFeature) 8 (FileThreatProtectionFeature) 5 (FullScanTask) 16 (MailThreatProtectionFeature) 14 (NetworkThreatProtectionFeature) 12 (RemediationEngineFeature) 25 (SecurityControlsFeature) 18 (UpdaterTask) 21 (WebControlFeature) 20 (WebThreatProtectionFeature) 22 (WholeProductFeature) }
  8. svc_kms
    Don't apply to PCN, it will lead to the disconnection of all SCNs attached and will not restore automatically Problem Description A PCN connection request got stuck in the "Waiting" status and doesn't result in failure. The reboot doesn't help. It can happen if, for example, a SCN IP was specified instead of PCN. Solution Run the following commands as root: Cancel PCN connection request # console-settings-updater get /ipsec > /home/admin/ipsec.orig.json && chmod 777 /home/admin/ipsec.orig.json # console-settings-updater set /ipsec "{}" Clear the browser cache. Reload the page. Alternatively, force the reload (Ctrl+F5 in FF). The server status will revert to the Standalone solution. Select the Distributed solution, specify the correct IP of PCN and retry to connect. To restore config in case of error: Cancel PCN connection request # console-settings-updater set /ipsec @/home/admin/ipsec.orig.json
  9. svc_kms
    Application of exclusions for KES configured in the KES Cloud environment can differ on Windows Client and Windows Server. If exclusions are set up for all components by selecting checkboxes as shown in the screenshot, then the exclusions will only apply to the component selected by the checkbox. KES behavior may differ on the Windows Client and Windows Server operating systems. To apply exclusions to all components on both the Windows Client and Windows Server operating systems, disable all the checkboxes. To apply the same settings in KES, select the All Components parameter in the local interface of KES as shown in the screenshot. Apply the settings described above if you have an unexpected detection on the Windows Server operating systems when the detected file is already added to the exclusions.
  10. svc_kms
    As stressed in the product documentation, Sandbox, which is deployed as a Virtual Machine, should have an exact sizing, violation of which may lead to various issues. The only parameter that can be varied is a CPU clock rate. Common mistake The most notable mistake regarding scaling up VM sandboxes is an attempt to make one huge Sandbox VM with two to four times the required RAM/CPU as dedicated resources. Correct approach is to create a respective number of additional VMs and distribute these resources between them. For example, if you want to double the performance of a KATA Sandbox VM instead of adding 15 more CPU cores and 32 more gigabytes of RAM to an existing Sandbox, you need to deploy a new Sandbox VM with the following resources: CPU: 15 cores, 2.1 GHz or higher RAM: 32 GB HDD volume: 300 GB Two network adapters with 1 Gbit/s data transfer rate Virtual machine settings: Only VMware ESXi hypervisor is fully supported. Nested virtualization is enabled Supported VMware ESXi versions 6.5, 6.7U3 or 7.0 hypervisor. Entire CPU clock rate reserved. For a minimum CPU clock this means 12*2100=25200 MHz reserved. For a clock rate higher than 2.21Hz, use the following formula to calculate the entire CPU clock rate: 12 * <clock rate in MHz>. Entire RAM reserved (32 GB). Expose hardware assisted virtualization to the guest OS check box selected. Latency Sensitivity option set to High. No Secure Boot. The maximum number of simultaneously running virtual machines set to 12. Please note, these cannot be checked from a debug report or from inside of the VM, as these settings are configured in a hypervisor. Checking VMX file Obtain a .vmx file of the respective sandbox VM. Demo video showing how to locate a .vmx file. Note, that in this video the goal is to modify the .vmx, and we only need to access it for reading, therefore, there is no need to unregister a VM from inventory as done in video. All the following lines in .vmx file must match exactly with the following two exceptions: For sched.cpu.min, the value can be higher than 25200, see formula above. Line uefi.secureBoot.enabled might be absent, which is OK. Correct .vmx settings numvcpus = "15" sched.cpu.units = "mhz" sched.cpu.min = "26400" memSize = "32768" sched.mem.min = "32768" vhv.enable = "TRUE" sched.cpu.latencySensitivity = "high" uefi.secureBoot.enabled = "FALSE" ethernet0.present = "TRUE" ethernet1.present = "TRUE" Checking number of slots In the Sandbox web interface window, select the Administration section. In the Guest virtual machines group of settings, in the Maximum simultaneous VMs field, number of simultaneously running virtual machines must equal 12.
  11. svc_kms
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Product: KSC 11+ Applies also to the update utility version 4.1 and more recent. Consider the following problematic scenarios: You have installed KSWS on the KSC server and enabled Traffic Security component and Traffic Security uses MITM mechanism to analyze traffic. You use a 3rd party software or hardware appliance for traffic filtering and this appliance disrupts connections to HTTPS-enabled public update servers. It can be a hardware appliance like BlueCoat or F5, FortiGate SSL Deep Inspection, or a software proxy like Squid that uses ICAP to redirect traffic to another security application for scanning. KL uses HTTP public key pinning mechanism to verify update server authenticity; certificate used for authentication is self-signed by KL. Using any MITM-based solutions for SSL traffic inspection will lead to failures in establishing connection between KSC and a HTTPS-enabled KL update source. It happens because any MITM traffic inspection will forward a wrong certificate to KSC after inspection and KSC11 will break the connection. The following string can be found in up2date trace: self signed certificate in certificate chain The following trace files are required for accurate diagnostic: $up2date-1103.*, $up2date-1103-eka.* Please bear in mind that Kaspersky Support needs KSC traces mentioned above to be collected BEFORE you apply any of the workarounds listed in this post. Troubleshooting steps If you have KSWS blocking traffic, add Up2Date.exe process or the update source certificate to trusted in Traffic Security settings. If you use a 3rd party appliance to filter traffic, you can explicitly allow traffic signed by KL certificate. Otherwise you can use HTTP to download updates. There are two ways to make KSC use HTTP: Set a server flag on KSC using following commands: klscflag.exe -fset -pv klserver -s Updater -n DisableKLHttps -t d -v 1 and on Update Agents (Distribution Points) getting updates from the internet, if any: klscflag.exe -fset -pv klnagent -s Updater -n DisableKLHttps -t d -v 1 Explicitly set update task to use HTTP sources URLs, for example http://p00.upd.kaspersky.com. Full list of HTTP-enable sources can be found in <insecure_sites_list> parameter in http://dnl-05.geo.kaspersky.com/updates/upd/updcfg2.xml Download updates using update utility 4.0. More recent version of update utility uses https.
  12. svc_kms
    Description and cautions This is short article about how to burn KATA ISO on USB drive. For KATA 4.0/4.1 you need 8Gb USD drive, for 5.0/5.1 - 16Gb at least. 3d party solutions are involved, therefore success is not guaranteed. Ventoy is more preferable working method. Details Download latest Rufus release or Ventoy, how to use Ventoy described here or Balena http:// https://etcher.balena.io/ [Rufus part] Open it and select respective KATA ISO. KATA 4.0/4.1 Rufus config should be like on screenshot below (Partition scheme GPT, Target system UEFI) For KATA 5.0/5.1 (Partition scheme MBR, Target system BIOS or UEFI) After clicking Start choose Write in DD image mode.
  13. svc_kms
    Description and cautions Here's how to configure export only detects from KWTS to external syslog server, which accepts TCP stream on facility local1. Details Create file /etc/rsyslog.d/kwts-detects.conf with contents as per below (replace SERVER:PORT by your external syslog server, @SERVER:PORT if UDP is in use instead of TCP) $ActionQueueFileName KWTSDetects $ActionQueueType LinkedList $ActionQueueMaxDiskSpace 1g $ActionResumeRetryCount -1 $ActionQueueSaveOnShutdown on if ($syslogfacility-text == 'local1' and ( $msg contains 'av-status="Detected' or $msg contains 'encrypted="Detected' or $msg contains 'macros="Detected' or $msg contains 'ap-status="Detected' or $msg contains 'mlf-status="Detected' or $msg contains 'kata-alert="Detected' )) then { @@SERVER:PORT } Restart rsyslog service like this: systemctl restart rsyslog
  14. svc_kms
    Problem No option to change Local Administrator/Cluster Administrator in pseudo-graphic menu available by default . Solution a) Upgrade to 5.1 b) Follow steps: Download an archive with WHL packets. Upload it to KATA CN to /tmp/change_password.zip Extract (we have no unzip shipped by default): echo -e "import zipfile\nwith zipfile.ZipFile('/tmp/change_password.zip', 'r') as z:\n z.extractall('/tmp/')" | python3 Become root: sudo su Confirm this is a right node: docker ps | grep kedr_database_server Install installer patch: installer-1.0-py3-none-any.whl pip3 install --ignore-installed --no-deps /tmp/installer-1.0-py3-none-any.whl Install docker_utils patch: docker_utils-1.0-py3-none-any.whl pip3 install --ignore-installed --no-deps /tmp/docker_utils-1.0-py3-none-any.whl Restrict changing password to root: which kata-web-admin-change-password | xargs chmod 754 Change password by running: kata-web-admin-change-password Enter new password in the prompt, no confirmations or validation will be given Selecting the correct node Script must be executed on a node with kedr_database_server container, by default it is the processing one installed first, node2 in cluster. In case it is executed on a wrong node, a hint will be given which is a right one.
  15. svc_kms
    Description and cautions You may experience low time to live value set in ICMP network packets sent by klnagents. The following can be seen in wire shark traffic dump: Explanation: There are two modes of distribution point search: 0 - search of the nearest DP using a tool similar to traceroute. It generates a number of ICMP packets to find out the neatest route to DP - this is the default mode. 1 - selection of random DP without sending such amount of ICMP packets. This mode is configured on administration server computer via klcsflag utility and is enabled for all managed hosts. The following command should be started as administrator on KSC Server computer to switch to mode 1: klscflag.exe -fset -pv klserver -n SrvChooseUaMode -v 1 -t d Restart of kladminserver service is required to apply changes. The distribution point will be randomly selected among all DPs available.
  16. svc_kms
    Description and cautions KSN connection error on KATA web may appear. Details It could be fixed unless you don't have permanent KSN errors, you have to check it in ksn_proxy.log DEBUG level. Key word is ErrCount. If you don't see Errcount: 0 in log, then you don't have access to our KSN servers which are: *.ksn.kaspersky-labs.com ksn-*.kaspersky-labs.com ds.kaspersky.com 2. In order to fix this web error do as below For KATA 4.0/4.1 Under root at CN execute: apt-settings-manager set --merge /configuration/preprocessor '{"ksn": {"non_dl_formats": ["GeneralHtml", "GeneralTxt", "ExecutableJs", "ImageGif", "ImageJpeg", "ImagePng", "ArchiveCab"], "request_threads": 4, "timeout": "PT1.5S"}}' * PT1.5S means 1,5 seconds, don't increase it more Then let's increase "errors_increase_threshold": 100 (actually you have to check ksn_proxy debug log in order to understand how much KSN connection errors you have and adjust this parameter accordingly) apt-settings-manager set --merge /configuration/monitoring_prometheus '{"ksn_proxy": {"errors_increase_threshold": 100, "errors_window_period": "10m", "scraping_alert_for_interval": "1m", "scraping_evaluation_interval": "30s"}}' If this helps, then make this change persistent: vim /etc/opt/kaspersky/apt-swarm/swarm_config.json "ksn": { "non_dl_formats": [ Numbered list "GeneralHtml", "GeneralTxt", "ExecutableJs", "ImageGif", "ImageJpeg", "ImagePng", "ArchiveCab" ], "request_threads": 4, "timeout": "PT0.5S" <<<<< set 1.5S Find "ksn_proxy": { "errors_increase_threshold": 2, <<<<< set 100 "errors_window_period": "10m", "scraping_alert_for_interval": "1m", "scraping_evaluation_interval": "30s" For KATA 5.+/6.+ Use one line: console-settings-updater set --merge /kata/configuration/product/monitoring_prometheus '{"alert_settings": {"ksn_proxy": {"errors_increase_threshold": 100}}}' if value 100 doesn't help you may increase it to 150-200. Or use long way: Under root at CN execute console-settings-updater get /kata/configuration/product/monitoring_prometheus | python3 -m json.tool > /tmp/monitoring_prometheus Make changes in /tmp/monitoring_prometheus (via vim or nano) by finding following block "ksn_proxy": { "errors_increase_threshold": 100, <<<<<< put here value 100 instead of default 2 Save file (ESC:wq!) Put changes back to container console-settings-updater set /kata/configuration/product/monitoring_prometheus @/tmp/monitoring_prometheus If value 100 doesn't help you may increase it to 150-200.
  17. svc_kms
    Problem: Create Group On Demand Scan Task of Windows Kaspersky Light Agent 5.2/Linux Kaspersky Light Agent 5.2 Launch Group On Demand Scan Task Group On Demand Scan Task of Windows Kaspersky Light Agent 5.2/Linux Kaspersky Light Agent 5.2 might detect infected object, but might not delete it. Solution: Delete created Group On Demand Scan Task of Windows Kaspersky Light Agent 5.2/Linux Kaspersky Light Agent 5.2 Delete all created Windows Kaspersky Light Agent 5.2/Linux Kaspersky Light Agent 5.2 Policies Add registry key on Kaspersky Administration Server 5_2_ksc_win_x86_fix.reg if Kaspersky Administration Server is installed on x86 operation system 5_2_ksc_win_x64_fix.reg if Kaspersky Administration Server is installed on x64 operation system Create Windows Kaspersky Light Agent 5.2/Linux Kaspersky Light Agent 5.2 Policies anew. Create Group On Demand Scan Task of Windows Kaspersky Light Agent 5.2/Linux Kaspersky Light Agent 5.2 Launch Group On Demand Scan Task of Windows Kaspersky Light Agent 5.2/Linux Kaspersky Light Agent 5.2
  18. svc_kms
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem You may use images with installed KEA that are distributed to multiple devices, or some hardware vendors (ACER) do not comply with standards and sell hardware with non-unique BIOS IDs, etc. As a result, a telemetry from different agents may end up merged into a single record. Symptoms Certain hostnames are present in KATA alerts, but search returns 0 events. Moreover, such hostnames are not present in the agent list. If looked up by an IP in the database/logs, UUID is found to be non-unique or belonging to other host. The same UUID is found in KEA logs from different machines. There is UUID 03000200-0400-0500-0006-000700080009 in the logs. There is UUID 6ab5b300-538d-1014-9fb5-b0684d007b53 in the logs. There is UUID 0bea76da-28ca-4e13-9715-361a8bbf3bc8 in the logs. Solution for KEA Run the new script on the affected machine to reset the UUID. Solution for KES with built-in Endpoint Agent Download this script, unpack it. Please check the KES version inside of it and change if needed. Turn off self-defence feature of KES, and run the script. After that please restart KES and UUID should be changed (if restarting the KES does not work then please reboot the machine). For 32-bit system use this 32-bit script. Solution for KESL with built-in Endpoint Agent uuidgen > /var/opt/kaspersky/epagent/install_id uuidgen > /var/opt/kaspersky/kesl/common/pcid systemctl restart kesl Solution for LENA Remove LENA from the host rm /var/opt/kaspersky/kesl/common/install_id Reinstall LENA
  19. svc_kms
    KATA Sandbox provides instruments to manage SB images, ISO files, and VM Slots number via CLI. For details, see below. Slots Sometimes, it is convenient to change a slot number via CLI. To do so, become a root user and run: /opt/kaspersky/sandbox/bin/sandbox-slots-setup <number of slots> Change slots number via CLI # /opt/kaspersky/sandbox/bin/sandbox-slots-setup 12 Images ISOs can be managed using the sb-vm-iso tool. # sb-vm-iso Usage: --list-iso --state [<iso-name>] --install <iso-name> --check-install <iso-name> --remove <iso-name> --add <iso-path> # sb-vm-iso --list-iso {"iso": ["sandbox-images-centos7_x64-1.0.0.19888.x86_64.iso", "sandbox-images-win10_x64-1.1.0.18829-vl.x86_64.iso"]} VMs VM management is done using the sb-vms tool. # sb-vms Usage: --list-vms --list-non-activated --activate <vm_id> '[{"id": "<component-id>", "key": "<component-key>"} ]' --apply-all --reset --remove <vm_id> # sb-vms --list-vms {"vms": [{"id": "CentOS7_x64-1.0.0.19888", "name": "CentOS7_x64-1.0.0.19888", "status": "installed", "description": ""}, {"id": "Win10_x64-1.1.0.18829", "name": "Win10_x64-1.1.0.18829", "status": "installed", "description": ""}]} VMs removal using sb-vms tool VMs removal Counterintuitively, using IDs obtained by "sb-vms --list-vms" for "sb-vms --remove" doesn't work. Obtain the IDs from kata_scanner etcd on Central node instead of using apt-settings-manager: KATA 4.1 # apt-settings-manager get /configuration/kata_scanner | python -m json.tool | grep images -A5 "images": [ "CentOS7_x64", "Win7_x64", "Win10_x64", "WinXP" ], To remove images one by one: KATA 4.1 SB # sb-vms --remove CentOS7_x64 # sb-vms --remove WinXP # sb-vms --remove Win7_x64 # sb-vms --remove Win10_x64 Same principle for 5+/6+: obtain the IDs from kata_scanner etcd on Central node using console-settings-updater : KATA 5+/6+ # console-settings-updater get /kata/configuration/product/kata_scanner | python3 -m json.tool | grep images -A6 "images": [ "Astra_x64", "CentOS7_x64", "Win7_x64", "Win10_x64", "WinXP" ], To remove images one by one: KATA 5+/6+ SB # sb-vms --remove Astra_x64 # sb-vms --remove CentOS7_x64 # sb-vms --remove WinXP # sb-vms --remove Win7_x64 # sb-vms --remove Win10_x64
  20. svc_kms
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Consider the following scenario: You have a large local area network 10.36.0.0/16. There is a managed device with the following IP config: IPv4 address: 10.36.35.10 and Subnet Mask: 255.255.255.0. You create a new subnet condition for klnagent connection profile: 10.36.0.0/16. Actual result: The connection profile is not applied to the managed device. The reason of this behavior is equality logic used by klnagent. It verifies if the condition matches by comparing the current value of the IP address and subnet mask of a managed device: IP address 10.36.35.10 is within the 10.36.0.0/16 network. However, subnet mask 255.255.255.0 is not equal to 255.255.0.0 specified in the condition. Solution: In order for the rule to work correctly, each 10.36.0.0/24 subnet (including 10.36.35.0/24) of the larger 10.36.0.0/16 network should be added as a condition:
  21. svc_kms
    Problem Description While installing KES for Windows via KSC installation package the following error appears and interferes with installation. Possible causes: KES components installed already before installation. Required driver files were not found. Workaround & Solution Use kavremover and reinstall KES with the latest patch. In case kavremover will not help, please collect procmon and KES installation logs, actual GSI with event logs and submit the case to the Kaspersky support.
  22. svc_kms
    The best practice is to back up your current Administration Server and then install the new version of Kaspersky Security Center. To do so, follow these steps: Back up the data of Kaspersky Security Center using one of the methods described below: Backup and Restore Wizard Backup task Check if you can install Kaspersky Security Center on your current server. For system requirements, see Online Help. Then export the list of currently installed plug-ins in the .csv format. Download the latest version of Kaspersky Security Center. Install Kaspersky Security Center. For instructions, see Online Help. If needed, you can restore the Administration Server data. For details, see Online Help. Important notes Make a note of the password configured during the backup process. Install Kaspersky Security Center on a new server if your current database server is not supported. Then restore the database data. Restoration works between database servers of the same type. If you use an SQL Server as a DBMS, you can migrate data to MySQL or MariaDB DBMS before the upgrade. For details, see Online Help. It is possible to restore data from the SQL Express database to the SQL Standard database, but the restoration of data from the SQL Standard database to the SQL Express database is supported with limitations. For further details, please check this Online Help page.
  23. svc_kms
    Description and cautions That article is describing KSC rel. 13.2 to rel. 14.x SW upgrade procedure. Prerequisites KSC 13.2 on MS Windows S/N Action Online-Help 1 Download the KSC 14 Version 2 Take the backup of KSC Administration Server 3 Take the backup of the KSC Database 4 Export Policies (NA, KES) and encryption keys 5 Run cmd as administrator -> On the active node, go to <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center -> klfoc -stopcluster --stp klfoc https://support.kaspersky.com/KSC/14/en-US/222447.htm 5.1 Check if all kaspersky security services were stopped on both nodes 6 Install KSC 14 on Primary Node Run the ksc_14_<build number>_full_<language>.exe file https://support.kaspersky.com/KSC/14/en-US/235429.htm 6.1 If the name of the load balancer matches with the name of the first node, then the upgrade process may "freeze" and will be finished after several of network connection timeouts. EventsProcessorProxy: #1281 Failed to establish connection with the remote device (location: 'http://kscnode01.demo.lab:13000'): connection has failed. 6.2 Perform the same steps on the passive node. Run the ksc_14_<build number>_full_<language>.exe file https://support.kaspersky.com/KSC/14/en-US/235429.htm 7 Run cmd as administrator -> On the active node, go to <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center. -> klfoc -startcluster --stp klfoc https://support.kaspersky.com/KSC/14/en-US/222447.htm 8 Connect to the administration server 9 Restart Passive Node or start klfoc service. 10 Make sure and verify that the machines and policies are available in the console
  24. svc_kms
    Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. The article is giving a working configuration instructions for domain authentication by using NTLM and Kerberos protocols. NOTE: Domain authentication in OpenAPI over Kerberos protocol has the following restrictions: Administration Server address must be specified exactly as the address for which the Service Principal Name (SPN) is registered for domain account name. In the domain, you need to set the Service Principal Name (SPN) to publish the OpenAPI service on port 13299 for the machine with the Administration Server, the service of which is running under the name of the domain user <domain-user>. Kaspersky Security Center 13 Web Console user must be authenticated in Active Directory by using Kerberos protocol. Kerberos authentication should be allowed in web-browser. For details, refer to documentation of used web-browser. Details SPN - Service Principal Name Log in Domain Controller as Domain administrator. Open powershell as admin and run the following commands: Powershell setspn.exe -A HTTP/hostname-node-1.domain.local -u domain\user-ksc-service setspn.exe -A HTTP/hostname-node-2.domain.local -u domain\user-ksc-service Example setspn.exe -A HTTP/kscw-node-1.sales.lab -u sales\ksc setspn.exe -A HTTP/kscw-node-2.sales.lab -u sales\ksc setspn.exe -L -u sales\ksc #command for check spn records #Response Registered ServicePrincipalNames for CN=KSC Service,CN=Users,DC=sales,DC=lab: HTTP/kscw-node-1.sales.lab HTTP/kscw-node-2.sales.lab Enable Kerberos/NTLM authentication in web browsers Microsoft Edge \ Internet Explorer win + r => inetcpl.cpl Activate the Security tab. Select Local intranet and click Sites. In the opened dialog box click Advanced. Add the host name of Adaxes Web interface (e.g. host.company.com). Click Close and then click OK. Click Custom level. Navigate to Scripting and enable Active scripting. Navigate to User Authentication \ Logon. Select Automatic logon only in Intranet zone and click OK. Activate the Advanced tab. In the Settings list, navigate to the Security section. Select Enable Integrated Windows Authentication and click OK. Mozilla Firefox - https://developer.mozilla.org/en-US/docs/Mozilla/Integrated_authentication Launch Mozilla Firefox In the URL window, enter about:config and press Enter. In the filter text box, enter network.negotiate. Double-click the network.negotiate-auth.trusted-uris option and enter the host name of Adaxes Web interface (e.g. host.company.com). Repeat previous step for the network.negotiate-auth.delegation-uris option. Google Chrome Add the Software\Policies\Google\Chrome\AuthServerWhitelist key equal to *.<domain-name>.local to the registry Add the Software\Policies\Google\Chrome\AuthNegotiateDelegateWhitelist key equal to *.<domain-name>.local to the registry
  25. svc_kms
    Description and cautions The article shares working examples of using KSC API calls for one of the available scenarios - retrieving tasks results and statistics data for Dashboards and Reports. For the Windows version of cURL, you need to specify that the arguments need to be escaped with "\", otherwise there will be an error. For example: 'Authorization: KSCBasic user=\"YXBpLXVzZXI=\", pass=\"cGFzc3dvcmQ=\", internal=\"1\"' Details Prerequisites internal user: api-user Examples KSC address - 127.0.0.1 (the address can also be external) API Port - 13299 (default) User: api-user (intrental KSC user), base64: YXBpLXVzZXI= Password: password, base64: cGFzc3dvcmQ= Credentials: User Password api-user password Base64: YXBpLXVzZXI= cGFzc3dvcmQ= Authentication, type: Authenticated session, other types: KSC Open API description All requests are in cUrl format, as an alternative it is also possible to use Python library (KlAkOAPI Python package) Login Start connection to KSC (Session::StartSession) : Session::StartSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.StartSession' \ --header 'Authorization: KSCBasic user="YXBpLXVzZXI=", pass="cGFzc3dvcmQ=", internal="1"' Username and password should be encoded to base64 format as part of a secure HTTPS session. For expamle https://www.base64encode.org/ can be used for encoding. Response { "PxgRetVal": "nsPbUpP1oAVZlM1lODEbg8A==" } Policies changes alert \ Critical task status Audit events available Create event processing iterator with filter (EventProcessingFactory::CreateEventProcessing2) : EventProcessingFactory::CreateEventProcessing2) curl --location --request POST 'https://localhost:13299/api/v1.0/EventProcessingFactory.CreateEventProcessing2' --header 'X-KSC-Session: nT0T9KvkIKlgHGGaZ60j38Q==' --header 'Content-Type: application/json' --data-raw '{ "pFilter": { "EVP_INCL_GNRL_EVENTS": true, "EVP_INCL_TASK_STATES": false, "EVP_MAX_EVENTS_COUNT": 3000, "KLEVP_EVENT_GNRL_TYPES_ARRAY": [ "KLAUD_EV_SERVERCONNECT", "KLAUD_EV_OBJECTMODIFY", "KLAUD_EV_TASK_STATE_CHANGED", "KLAUD_EV_ADMGROUP_CHANGED", "KLAUD_EV_SERVERDISCONNECT", "KLAUD_EV_OBJECTPROPMODIFIED", "KLAUD_EV_OBJECTACLMODIFIED" ], "Name": "Audit events", "PredefinedID": "PREDEFINED_QUERY_ID_AUDIT_EVENTS"}, "vecFieldsToReturn": [ "event_db_id", "rise_time", "hostname", "hostdn", "event_type", "event_type_display_name", "GNRL_EA_DESCRIPTION", "group_id", "group_name", "product_name", "product_version", "product_displ_version", "GNRL_EA_SEVERITY", "GNRL_EA_PARAM_1", "GNRL_EA_PARAM_8", "task_display_name", "registration_time", "KLVSRV_DN", "KLEVP_EVENT_GROUP_TASK_ID", "GNRL_EA_PARAM_3" ], "vecFieldsToOrder": [], "lifetimeSec": 1000 }' Response ID Response {"strIteratorId":"A07B69A5347CF435DB66C0FA826371FF"} Get result from Response data ( ReportManager::GetStatisticsData) : EventProcessing::GetRecordRange curl --location --request POST 'https://localhost:13299/api/v1.0/EventProcessing.GetRecordRange' --header 'X-KSC-Session: nT0T9KvkIKlgHGGaZ60j38Q==' --header 'Content-Type: application/json' --data-raw '{ "strIteratorId":"A07B69A5347CF435DB66C0FA826371FF", "nStart": 0, "nEnd": 100 }' Response statistics dashboard: Response {"pParamsEvents":{"KLEVP_EVENT_RANGE_ARRAY" ..... Detection of threats: Create event processing iterator with filter (EventProcessingFactory::CreateEventProcessing2) : EventProcessingFactory::CreateEventProcessing2) curl --location --request POST 'https://localhost:13299/api/v1.0/EventProcessingFactory.CreateEventProcessing2' --header 'X-KSC-Session: n/euPaWcHBCk5Oz76XFLsSg==' --header 'Content-Type: application/json' --data-raw '{ "pFilter": { "KLEVP_EVENT_TYPE": "GNRL_EV_VIRUS_FOUND"}, "vecFieldsToReturn": [ "event_db_id", "rise_time", "hostname", "hostdn", "event_type", "event_type_display_name", "GNRL_EA_DESCRIPTION", "group_id", "group_name", "product_name", "product_version", "product_displ_version", "GNRL_EA_SEVERITY", "GNRL_EA_PARAM_1", "GNRL_EA_PARAM_8", "task_display_name", "registration_time", "KLVSRV_DN", "KLEVP_EVENT_GROUP_TASK_ID" ], "vecFieldsToOrder": [], "lifetimeSec": 1000 }' Response ID Response {"strIteratorId":"48E14F430EF0058BB039929318693123"} Get result from Response data ( ReportManager::GetStatisticsData) : EventProcessing::GetRecordRange curl --location --request POST 'https://localhost:13299/api/v1.0/EventProcessing.GetRecordRange' --header 'X-KSC-Session: n/euPaWcHBCk5Oz76XFLsSg==' --header 'Content-Type: application/json' --data-raw '{ "strIteratorId": "48E14F430EF0058BB039929318693123", "nStart": 0, "nEnd": 20 }' Response statistics dashboard: Response {"pParamsEvents":{"KLEVP_EVENT_RANGE_ARRAY" ..... Critical task status Status of Critical task: Backup of Administration Server data, Administration Server maintenance, Download updates to the Administration Server repository. for example - Backup of Administration Server data #strTask - open task in nmw-web-console - 148 (for example: https://localhost:8080/#/management/tasks/148) Acquire task execution history events (Tasks::GetTaskHistory) Tasks::GetTaskHistory curl --location --request POST 'https://localhost:13299/api/v1.0/Tasks.GetTaskHistory' --header 'X-KSC-Session: n/Uvfki+u+pAmb8jjMzVBzg==' --header 'Content-Type: application/json' --data-raw '{ "pSortFields": [{"type":"params","value":{"Name":"rise_time","Asc":false}}], "pFields2Return": [ "hostdn", "group_name", "task_new_state", "KLVSRV_DN", "rise_time", "GNRL_EA_DESCRIPTION" ], "strHostName": "KSC", # Hostname Administration Server "pFilter": { "type": "params", "value": {} }, "strTask": "103" # from nmw-web-console }' Response ID Response {"strIteratorId":"2C356F1FA5B5875980950999AD036094"} Get result from Response data ( ReportManager::GetStatisticsData) : EventProcessing::GetRecordRange curl --location --request POST 'https://localhost:13299/api/v1.0/EventProcessing.GetRecordRange' --header 'X-KSC-Session: na2b5M8XFBGHmP+P5+tDYcg==' --header 'Content-Type: application/json' --data-raw '{ "strIteratorId": "2C356F1FA5B5875980950999AD036094", #strIteratorId from response "nStart": 0, "nEnd": 20 }' Response statistics dashboard: Response {"pParamsEvents":{"KLEVP_EVENT_RANGE_ARRAY":[{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:47:57Z"},"task_new_state":1}},{"type":"params","value":{"GNRL_EA_DESCRIPTION":"Invalid destination folder. ","group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:46:03Z"},"task_new_state":3}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:46:03Z"},"task_new_state":1}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:46:02Z"},"task_new_state":32}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:45:58Z"},"task_new_state":32}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:45:58Z"},"task_new_state":1}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-16T23:04:00Z"},"task_new_state":4}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-14T23:04:00Z"},"task_new_state":4}}]}} Information at Reports Enumerates all existing reports. ReportManager.EnumReports curl --location --request POST 'https://localhost:13299/api/v1.0/ReportManager.EnumReports' --header 'X-KSC-Session: nejYJnFLwJgs14KpxeH9UMA==' Response all reports: Response { "PxgRetVal": [ { "type": "params", "value": { "RPT_CREATED": { "type": "datetime", "value": "2021-04-30T12:39:00Z" }, "RPT_DN": "Report on file operations on removable drives", "RPT_EXTRA_DATA": { "type": "params", "value": { "KLRPT_DONT_USE_SPACES_FOR_SLASHES": false, "KLRPT_EXPAND_PERIOD": true, "KLRPT_GLOBAL_SCOPE": false, "KLRPT_OWNER_SRV_INSTANCE": "e71217d1-4a96-462c-a56a-6112bdc5369b", "KLRPT_PROTECTION_INCLUDE_OK": false, "KLRPT_PROTECTION_INCLUDE_VM": true, "KLRPT_PROTECTION_INCLUDE_WARNING": true, "KLRPT_REPORT_ID": 27, #lReportId for next command Execute report ( ReportManager::ExecuteReportAsync) "KLRPT_SLAVE_EXEC_TIMEOUT": 300, "KLRPT_SLAVE_REC_DEPTH": 1, "KLRPT_TEMPORAL": false } }, "RPT_GROUP_ID": 0, "RPT_ID": 27, #lReportId for next command Execute report ( ReportManager::ExecuteReportAsync) "RPT_MODIFIED": { "type": "datetime", "value": "2021-04-30T12:39:00Z" }, "RPT_TYPE": 0 } }, USB Data transfer alert \ Report on file operations on removable drives available Execute report ( ReportManager::ExecuteReportAsync) ReportManager::ExecuteReportAsync curl --location --request POST 'https://localhost:13299/api/v1.0/ReportManager.ExecuteReportAsync' --header 'X-KSC-Session: na2b5M8XFBGHmP+P5+tDYcg==' --header 'Content-Type: application/json' --data-raw '{ "lReportId": 27, "pOptions": { "KLRPT_OUTPUT_FORMAT": { "type": "params", "value": { "KLRPT_TARGET_TYPE": 2 } } } }' Response ID Response {"strRequestId":"e54ff81b-bfe7-46bb-8f60-de1865bce47c"} Check status of the async action (AsyncActionStateChecker::CheckActionState) AsyncActionStateChecker::CheckActionState curl --location --request POST 'https://localhost:13299/api/v1.0/AsyncActionStateChecker.CheckActionState' --header 'X-KSC-Session: na2b5M8XFBGHmP+P5+tDYcg==' --header 'Content-Type: application/json' --data-raw '{"wstrActionGuid":"e54ff81b-bfe7-46bb-8f60-de1865bce47c"}' Response KLRPT_OUTPUT_FILE Response {"bFinalized":true,"bSuccededFinalized":true,"lStateCode":1,"pStateData":{"KLRPT_OUTPUT_FILE":"/KLRT/2f4a6361-ebeb-42d6-b044-03dc30573a83.json","KLRPT_OUTPUT_FORMAT":{"type":"params","value":{"KLRPT_TARGET_TYPE":2}}},"lNextCheckDelay":0} Get Data Get curl --location --request GET 'https://localhost:13299/KLRT/2f4a6361-ebeb-42d6-b044-03dc30573a83.json' --header 'X-KSC-Session: na2b5M8XFBGHmP+P5+tDYcg==' Response with the report data: Response {"data":{"summary":{"heading":"Report on file operations on removable drives","subhead":"Report on file operations on removable drives","description":"This report provides information about file operations performed on removable drives. This report is generated for all groups.", ...... Commands can be used for all reports: Server health status Threat detection details from reports Software Vulnerability details from Report on vulnerabilities etc. information at Dashboard KLRPT_DSH_TYPE - List of statistics dashboards types and attributes KLRPT_DSH_TYPE Diagram Meaning 22 Distribution of anti-virus bases versions on hosts (5 counters: actual, 1 day old, 3-days old, 7-days old, and more than 7 days old). detection of threats - 56 prohibited applications - 42 Most heavily infected devices - 14 Most frequent threats - 18, 19 Threat detection details (Critical, High, Medium) 40 Distribution of hosts with different vulnerability status (critical, high, warning, none). 26 License usage. 8 20 8 - Distribution of anti-virus protection states in time. 20 - Current state of the most anti-virus protection (number of hosts with the status Critical, Warning, and OK). AV Definition Status Send Request to obtain required data( ReportManager::RequestStatisticsData) : ReportManager::RequestStatisticsData curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/ReportManager.RequestStatisticsData' --header 'X-KSC-Session: npczf1aapMkBcNOV9rhVgHA==' --header 'Content-Type: application/json' --data-raw '{ "pRequestParams": { "KLPPT_DASHBOARD": { "type": "params", "value": { "AV-DB-2": { #AV-DB-2 - Same requested unique name (GUID) "type": "params", "value": { "KLRPT_DSH_TYPE": 22, #22 - value from table List of statistics dashboards types and attributes "bIncludeVS": false, "id": 0 } } } } } }' Response ID Response {"strRequestId": "BA357813B44D88306228D8614B081C11"} Get result from Response data operation ( ReportManager::GetStatisticsData) : ReportManager::GetStatisticsData curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/ReportManager.GetStatisticsData' --header 'X-KSC-Session: npczf1aapMkBcNOV9rhVgHA==' --header 'Content-Type: application/json' --data-raw '{"strRequestId": "E71313D620483B40309EA81415C34005"}' #strRequestId from ReportManager.RequestStatisticsData Response statistics dashboard: Response {"pResultData":{"KLPPT_DASHBOARD":{"type":"params","value":{"AV-DB-2":{"type":"params","value":{"KLRPT_DSH_TYPE":22,"bIncludeVS":false,"id":0,"nCount3Days":0,"nCount7Days":4,"nCountActual":1,"nCountDay":0,"nCountOld":1}}}}}} Threat detection details (Critical, High, Medium) Send Request to obtain required data ( ReportManager::RequestStatisticsData) : ReportManager::RequestStatisticsData curl --location --request POST 'https://localhost:13299/api/v1.0/ReportManager.RequestStatisticsData' --header 'X-KSC-Session: nz3Z1sQYVGWmpOcuBbRfjGQ==' --header 'Content-Type: application/json' --data-raw '{ "pRequestParams": { "KLPPT_DASHBOARD": { "type": "params", "value": { "threatsDetection-1": { #GUID "type": "params", "value": { "KLPPT_StatPeriodInSec": 2592000, "KLRPT_DSH_TYPE": 56, "bIncludeVS": false, "id": 0 }}, "prohibitedApps-1": { #GUID "type": "params", "value": { "KLPPT_StatPeriodInSec": 2592000, "KLRPT_DSH_TYPE": 42, "bIncludeVS": false, "id": 0 }}, "infectedDevices-1": { #GUID "type": "params", "value": { "KLPPT_StatPeriodInSec": 2592000, "KLRPT_DSH_TYPE": 14, "bIncludeVS": false, "id": 0 }}, "frequentThreats0": { #GUID "type": "params", "value": { "KLPPT_StatPeriodInSec": 2592000, "KLRPT_DSH_TYPE": 18, "bIncludeVS": false, "id": 0 }}, "frequentThreats1": { #GUID "type": "params", "value": { "KLPPT_StatPeriodInSec": 2592000, "KLRPT_DSH_TYPE": 19, "bIncludeVS": false, "id": 0 }} } } } }' Response ID Response {"strRequestId": "D988500C858EBAE332816C34E5588F7F"} Get result from Response data operation ( ReportManager::GetStatisticsData) : ReportManager:GetStatisticsData curl --location --request POST 'https://localhost:13299/api/v1.0/ReportManager.GetStatisticsData' --header 'X-KSC-Session: nz3Z1sQYVGWmpOcuBbRfjGQ==' --header 'Content-Type: application/json' --data-raw '{"strRequestId": "D988500C858EBAE332816C34E5588F7F"}' Response statistics dashboard: Response {"pResultData":{"KLPPT_DASHBOARD":{"type":"params","value":{"frequentThreats01":{"type":"params","value":{"DSHT_DATA":[{"type":"params","value":{"nCount":28,"wstrName":"EICAR-Test-File"}},{"type":"params","value":{"nCount":28,"wstrName":"UDS:HackTool.Win32.CreDump.cr"}},{"type":"params","value":{"nCount":24,"wstrName":"UDS:Trojan.Win32.Generic"}},{"type":"params","value":{"nCount":19,"wstrName":"HEUR:Trojan-PSW.Win64.Mimikatz.gen"}},{"type":"params","value":{"nCount":15,"wstrName":"Trojan-PSW.Win32.Mimikatz.gen"}},{"type":"params","value":{"nCount":5,"wstrName":"HEUR:Trojan-PSW.Win64.Convagent.gen"}},{"type":"params","value":{"nCount":2,"wstrName":"UDS:Trojan.Win32.Agent.xadwev"}},{"type":"params","value":{"nCount":1,"wstrName":"Trojan.Multi.GenAutorunProc.a"}},{"type":"params","value":{"nCount":1,"wstrName":"http://bug.qainfo.ru/test/wmuf_w/"}}],"KLPPT_StatFinishTime":{"type":"datetime","value":"2022-01-18T16:14:27Z"},"KLPPT_StatPeriodInSec":2592000,"KLPPT_StatStartTime":{"type":"datetime","value":"2021-12-19T16:14:27Z"},"KLRPT_DSH_TYPE":18,"bIncludeVS":false,"id":0}},"frequentThreats12":{"type":"params","value":{"DSHT_DATA":[{"type":"params","value":{"nCount":27,"wstrName":"UDS:HackTool.Win32.CreDump.cr"}},{"type":"params","value":{"nCount":22,"wstrName":"UDS:Trojan.Win32.Generic"}},{"type":"params","value":{"nCount":9,"wstrName":"EICAR-Test-File"}},{"type":"params","value":{"nCount":4,"wstrName":"HEUR:Trojan-PSW.Win64.Mimikatz.gen"}},{"type":"params","value":{"nCount":3,"wstrName":"Trojan-PSW.Win32.Mimikatz.gen"}},{"type":"params","value":{"nCount":1,"wstrName":"HEUR:Trojan-PSW.Win64.Convagent.gen"}}],"KLPPT_StatFinishTime":{"type":"datetime","value":"2022-01-18T16:14:27Z"},"KLPPT_StatPeriodInSec":2592000,"KLPPT_StatStartTime":{"type":"datetime","value":"2021-12-19T16:14:27Z"},"KLRPT_DSH_TYPE":19,"bIncludeVS":false,"id":0}},"infectedDevices-2":{"type":"params","value":{"DSHT_DATA":[{"type":"params","value":{"nCount":114,"wstrInternalName":"1ccdd245-2850-424a-9f63-a35b115cbced","wstrName":"WIN10-KES-EDR"}},{"type":"params","value":{"nCount":7,"wstrInternalName":"3e043993-8332-4e1c-958e-a750cd3d0c7c","wstrName":"KHRAMEEV-WIN10"}},{"type":"params","value":{"nCount":2,"wstrInternalName":"c160e768-ba47-47e7-a905-d7c3d39b74d4","wstrName":"khrameev-ub19"}}],"KLPPT_StatFinishTime":{"type":"datetime","value":"2022-01-18T16:14:27Z"},"KLPPT_StatPeriodInSec":2592000,"KLPPT_StatStartTime":{"type":"datetime","value":"2021-12-19T16:14:27Z"},"KLRPT_DSH_TYPE":14,"bIncludeVS":false,"id":0}},"prohibitedApps-2":{"type":"params","value":{"DSHT_DATA":[],"KLPPT_StatPeriodInSec":2592000,"KLRPT_DSH_TYPE":42,"bIncludeVS":false,"id":0}},"threatsDetection-2":{"type":"params","value":{"DSHT_DATA":[{"type":"params","value":{"nCount":67,"nType":1,"wstrName":"File Threat Protection"}},{"type":"params","value":{"nCount":45,"nType":10,"wstrName":"Scan task"}},{"type":"params","value":{"nCount":9,"nType":3,"wstrName":"Web Threat Protection"}},{"type":"params","value":{"nCount":2,"nType":6,"wstrName":"Host Intrusion Prevention"}}],"KLPPT_StatFinishTime":{"type":"datetime","value":"2022-01-18T16:14:28Z"},"KLPPT_StatPeriodInSec":2592000,"KLPPT_StatStartTime":{"type":"datetime","value":"2021-12-19T16:14:28Z"},"KLRPT_DSH_TYPE":56,"bIncludeVS":false,"id":0}}}}} End Session to KSC (Session::EndSession) : Session::EndSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.EndSession' --header 'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A==' #PxgRetVal from Session.StartSession
  26. svc_kms
    Description and cautions The article shares working examples of using KSC API calls for one of the available scenarios - publishing KSC virtual server Administration Agent package. For the Windows version of cURL, you need to specify that the arguments need to be escaped with "\", otherwise there will be an error. For example: 'Authorization: KSCBasic user=\"YXBpLXVzZXI=\", pass=\"cGFzc3dvcmQ=\", internal=\"1\"' Details Prerequisites Make sure you have Kaspersky Administration Agent available in installation packages Make sure you have internal api-user with permissions for Kaspersky Security Center (main and Virtual Kaspersky Security Center) Example KSC address - 127.0.0.1 (the address can also be external and used over the network) API Port - 13299 (default port of KSC API) User: api-user (internal user with Kaspersky Security Center rights for KSC and vKSC), base64: YXBpLXVzZXI= Password: password, base64: cGFzc3dvcmQ= Authentication, type: Authenticated session, other types: KSC Open API description Name vKSC: vksc2, base64: dmtzYzI= Requests are described in cUrl format, it is also possible to use the python library (KlAkOAPI Python package) Session start for connecting to the KSC (Session::StartSession) : Session::StartSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.StartSession' \ --header 'Authorization: KSCBasic user="YXBpLXVzZXI=", pass="cGFzc3dvcmQ=", internal="1"' User and password are transmitted to base64 within a secure HTTPS session. Response { "PxgRetVal": "nsPbUpP1oAVZlM1lODEbg8A==" } Sending request to the KSC server for a list of packages (PackagesApi::GetPackages2) : PackagesApi::GetPackages2 curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/PackagesApi.GetPackages2' \ --header 'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A==' #PxgRetVal from Session.StartSession Retrieving a list of packets. Receiving KLPKG_NPI_PKGID nAgent to transmit packet to vKSC Response { "PxgRetVal": [ {...}, { "type": "params", "value": { "KLPKG_NPI_AV_BASES_UPDATE_TIME": { "type": "datetime", "value": "" }, "KLPKG_NPI_AV_BASES_UPD_SUPPORTED": false, "KLPKG_NPI_CREATION_TIME": { "type": "datetime", "value": "2021-04-30T12:39:00Z" }, "KLPKG_NPI_EXTRA_DATA": { "type": "params", "value": { "KLPGG_VAPM_DISTRIB_GLBID": { "type": "long", "value": 0 }, "KLPKG_EULA_UID": { "type": "binary", "value": "fPTQzfMWVvVPG7bFasjoJw==" }, "KLPKG_FORMAT": 2, "KLPKG_IS_MSI": true, "KLPKG_LANG_TAG": "en", "KLPKG_PARENT_ID": 0, "KLPKG_PKG_MAN": 0, "KLPKG_PLATFORM": 2, "KLPKG_PRD_TYPE": 1, "KLPKG_TYPE": 1, "bPkgPrereqAllowed": true, "nPatchGlbId": { "type": "long", "value": 0 }, "nPatchLcid": 0 } }, "KLPKG_NPI_MODIF_TIME": { "type": "datetime", "value": "2021-04-30T12:39:00Z" }, "KLPKG_NPI_NAME": "Kaspersky Security Center 13 Network Agent (13.0.0.11247)", "KLPKG_NPI_PACKAGE_PATH": "\\\\KSC\\KLSHARE\\Packages\\NetAgent_13.0.0.11247", "KLPKG_NPI_PKGID": 3, "KLPKG_NPI_PRODUCT_DISPL_NAME": "Kaspersky Security Center 13 Network Agent", "KLPKG_NPI_PRODUCT_DISPL_VERSION": "13.0.0.11247", "KLPKG_NPI_PRODUCT_NAME": "1103", "KLPKG_NPI_PRODUCT_VERSION": "1.0.0.0", "KLPKG_NPI_SIZE": { "type": "long", "value": 70113813 }, "KLPKG_NPI_SS_DESCR": "NetAgent_13.0.0.11247\\exec\\ss_install.xml|3" } }, {...} ] } Sending request for the vKSC list (VServers::GetVServers) : VServers:GetVServers curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/VServers.GetVServers' \ --header 'Content-Type: application/json' \ --header 'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A==' \ #PxgRetVal from Session.StartSession --data-raw '{ "lParentGroup": -1 }' Obtaining KLVSRV_DN and KLVSRV_ID Response { "PxgRetVal": [ {...}, { "type": "params", "value": { "KLVSRV_CREATED": { "type": "datetime", "value": "2021-11-23T11:48:53Z" }, "KLVSRV_DN": "vksc2", "KLVSRV_ENABLED": true, "KLVSRV_GROUPS": 29, "KLVSRV_GRP": 0, "KLVSRV_HST_UID": "VSRV64c559dc-17e1-459d-b9d5-4c26ec35d426", "KLVSRV_ID": 3, "KLVSRV_LIC_ENABLED": true, "KLVSRV_NEW_HOSTS_PROHIBITED": false, "KLVSRV_SUPER": 28, "KLVSRV_TOO_MUCH_HOSTS": false, "KLVSRV_UID": "VSRV64c559dc-17e1-459d-b9d5-4c26ec35d426", "KLVSRV_UNASSIGNED": 32 } }, {...} ] } Asynchronous request to transfer the Administration Agent installation package to vKSC and create a standalone package (PackagesApi::RetranslateToVServerAsync) : PackagesApi:RetranslateToVServerAsync curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/PackagesApi.RetranslateToVServerAsync' \ --header 'Content-Type: application/json' \ --header 'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A==' \ #PxgRetVal from Session.StartSession --data-raw '{ "nPackageId": 3, #KLPKG_LANG_TAG from PackagesApi.GetPackages2 "nVServerId": 3, #KLVSRV_ID from VServers.GetVServers "pOptions": { "KLPKG_CREATE_STANDALONE_PRODS": false, "KLPKG_CREATE_STANDALONE_NAGT": true, "KLPKG_USE_LANGUAGE_TAG": "en", #KLPKG_LANG_TAG from PackagesApi.GetPackages2 "KLPKG_TYPE": 1, "KLPKG_LAZY_RETRANSLATION": false } }' Obtaining asynchronous task ID Response { "PxgRetVal": "C51B622B891CB03B7229A3CD9407B6AD" } Checking status of the task (AsyncActionStateChecker::CheckActionState) : AsyncActionStateChecker:CheckActionState curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/AsyncActionStateChecker.CheckActionState' \ --header 'Content-Type: application/json' \ --header 'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A==' \ #PxgRetVal from Session.StartSession --data-raw '{ "wstrActionGuid": "C51B622B891CB03B7229A3CD9407B6AD" #PxgRetVal form PackagesApi.RetranslateToVServerAsync }' Completion ("bFinalized": true) and successful execution ("bSuccededFinalized": true) Response { "bFinalized": true, "bSuccededFinalized": true, "lStateCode": 1, "pStateData": { "KLPKG_EP_EXECID": 11, "KLPKG_EP_FILESIZE": 0 }, "lNextCheckDelay": 0 } Ending session to KSC (Session::EndSession) : Session::EndSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.EndSession' \ --header 'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A==' #PxgRetVal from Session.StartSession Starting session to connect to the virtual KSC (Session::StartSession) : Session::StartSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.StartSession' \ --header 'Authorization: KSCBasic user="YXBpLXVzZXI=", pass="cGFzc3dvcmQ=", internal="1"' \ --header 'X-KSC-VServer: dmtzYzI=' The user can belong to the vKSC or to the main KSC (user account rights for Kaspersky Security Center should additionally be configured in vKSC). The user name and password are transferred to base64 format as part of a secure HTTPS session. X-KSC-VServer - vKSC name (KLVSRV_DN from VServers.GetVServers) to base64 Response { "PxgRetVal": "nz1/AOfHq6cdf986vTvNV7Q==" } Obtaining a list of standalone installation packages from vServer (PackagesApi::GetExecutablePackages) : PackagesApi:GetExecutablePackages curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/PackagesApi.GetExecutablePackages' \ --header 'X-KSC-Session: nz1/AOfHq6cdf986vTvNV7Q==' \ #PxgRetVal from Session.StartSession --header 'Content-Type: application/json' Receiving KLPKG_WebURL Response { "PxgRetVal": { "KLPKG_evpExecs": [ {...}, { "type": "params", "value": { "KLPKG_CreationDate": { "type": "datetime", "value": "2021-11-24T12:07:23Z" }, "KLPKG_EP_SHA256": "", "KLPKG_IsPublished": true, "KLPKG_IsVirtual": true, "KLPKG_LicenseSerialNum": "", "KLPKG_ModificationDate": { "type": "datetime", "value": "2021-11-24T12:07:23Z" }, "KLPKG_NAME": "", "KLPKG_NagentDisplayVersion": "13.0.0.11247", "KLPKG_NagentPkgId": 28, "KLPKG_NagentPkgName": "Kaspersky Security Center 13 Network Agent (13.0.0.11247)", "KLPKG_ProdDisplayName": "", "KLPKG_TargetGroup": "Managed devices", "KLPKG_TargetGroupId": 29, "KLPKG_WebURL": "http://ksc.test.lab:8060/dlpkg?id=12712942", "KLPKG_evpAddPkgId": 28, "KLPKG_evpExecPkgId": 10, "KLPKG_evpPkgId": 28, "KLPKG_evpPkgPath": "", "KLPKG_evpPkgSize": 0 } }, {...} ] } } Standalone Network Agent installation package is available at KLPKG_WebURL for KLPKG_NagentPkgName Session end for vKSC (Session::EndSession) : Session::EndSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.EndSession' \ --header 'X-KSC-Session: nz1/AOfHq6cdf986vTvNV7Q==' #PxgRetVal from Session.StartSession
  27. svc_kms
    Description and cautions The article shares working example of using KSC API calls for one of the available scenarios - retrieving events, HW and/or SW inventory data. For the Windows version of cURL, you need to specify that the arguments need to be escaped with "\", otherwise there will be an error. For example: 'Authorization: KSCBasic user=\"YXBpLXVzZXI=\", pass=\"cGFzc3dvcmQ=\", internal=\"1\"' Details Prerequisites internal user: api-user Examples: KSC address - 127.0.0.1 (the address can also be external) API Port - 13299 (default) User: api-user (intrental KSC user), base64: YXBpLXVzZXI= Password: password, base64: cGFzc3dvcmQ= Credentials: User Password api-user password Base64: YXBpLXVzZXI= cGFzc3dvcmQ= Authentication, type: Authenticated session, other types: KSC Open API description All requests are in cUrl format, as an alternative it is also possible to use Python library (KlAkOAPI Python package) Login Start connection to KSC (Session::StartSession ) Session::StartSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.StartSession' \ --header 'Authorization: KSCBasic user="YXBpLXVzZXI=", pass="cGFzc3dvcmQ=", internal="1"' Username and password should be encoded to base64 format as part of a secure HTTPS session. For example, https://www.base64encode.org/ can be used for encoding. Response { "PxgRetVal": "nsPbUpP1oAVZlM1lODEbg8A==" } Use below token in request header Find Host Find host by filter string (HostGroup::FindHosts) Filter string contains a condition over host attributes, see also Search filter syntax. We use "KLHST_WKS_DN" - Host display name HostGroup::FindHosts curl --location --request POST "https://127.0.0.1:13299/api/v1.0/HostGroup.FindHosts" --header "X-KSC-Session: nqepy9ZpZZ/2tiWXhil5cBg==" --header "Content-Type: application/json" --data-raw "{ \"vecFieldsToReturn\":[\"KLHST_WKS_HOSTNAME\",\"KLHST_WKS_DN\",\"KLHST_WKS_IP_LONG\",\"KLHST_WKS_PRODUCT_TAG_NAME\",\"KLHST_WKS_RTP_AV_VERSION\",\"KLHST_WKS_NAG_VERSION\",\"KLHST_WKS_LAST_UPDATE\",\"KLHST_WKS_LAST_UPDATE\",\"KLHST_WKS_VIRUS_COUNT\"], \"lMaxLifeTime\":1200, \"wstrFilter\":\"(KLHST_WKS_DN=\\"WIN10-OPTIMUM-1\\")\" #"KLHST_WKS_DN" - Host display name }" Response ID Response {"strAccessor":"ppYeO5rmkvKcMUm8vQzOK2","PxgRetVal":1} Copy Accessor for next request (ChunkAccessor::GetItemsChunk ) ChunkAccessor::GetItemsChunk curl -L -X POST "https://127.0.0.1:13299/api/v1.0/ChunkAccessor.GetItemsChunk" -H "X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg==" -H "Content-Type: application/json" --data-raw "{ \"strAccessor\":\"fb07haDqXIKZbQzyDsMwx1\", \"nStart\": 0, \"nCount\": 100 }" Response info about host: Response {"pChunk":{"KLCSP_ITERATOR_ARRAY":[{"type":"params","value":{"KLHST_WKS_DN":"WIN10-OPTIMUM-1","KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","KLHST_WKS_IP_LONG":{"type":"long","value":172250504},"KLHST_WKS_LAST_UPDATE":{"type":"datetime","value":"2022-02-17T13:00:01Z"},"KLHST_WKS_NAG_VERSION":"13.2.0.1511","KLHST_WKS_RTP_AV_VERSION":"11.7.0.669","KLHST_WKS_VIRUS_COUNT":{"type":"long","value":9}}}]},"PxgRetVal":1} Copy value "KLHST_WKS_HOSTNAME" for user in the next request Hardware Inventory SrvView Find srvview data by filter string (SrvView::ResetIterator) "wstrViewName" - see List of supported srvviews. "vecFieldsToReturn" - see https://support.kaspersky.com/help/KSC/13.1/KSCAPI/a00307.html "wstrFilter":"(KLHST_WKS_HOSTNAME=\"c0816918-fbc5-4fbc-8fed-6f245756120e\")" SrvView::ResetIterator curl -L -X POST "https://127.0.0.1:13299/api/v1.0/SrvView.ResetIterator" -H "X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg==" -H "Content-Type: application/json" --data-raw "{ \"wstrViewName\":\"HWInvPCSrvViewName\", \"vecFieldsToReturn\":[\"KLHST_WKS_HOSTNAME\",\"dev_id\",\"RamType\",\"dev_type\"], \"vecFieldsToOrder\":[{\"type\":\"params\",\"value\":{\"Name\":\"dev_id\",\"Asc\":\"true\"}}], \"lifetimeSec\":100, \"pParams\":{\"TOP_N\":\"yes\",\"USE_DISTINCT\":\"true\"}, \"wstrFilter\":\"(KLHST_WKS_HOSTNAME=\\"c0816918-fbc5-4fbc-8fed-6f245756120e\\")\" # KLHST_WKS_HOSTNAME from the previous request }" Response ID Response {"wstrIteratorId":"466579A79FA755D69B94EC60A5B04744"} GetRecordRange from Response data (SrvView.GetRecordRange ) SrvView.GetRecordRange curl -L -X POST "https://127.0.0.1:13299/api/v1.0/SrvView.GetRecordRange" -H "X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg==" -H "Content-Type: application/json" --data-raw "{ \"wstrIteratorId\":\"50054D2A2D7A93DCEBFA3BE6F7E21D5E\", \"nStart\": 0, \"nEnd\": 100 }" Response info about hardware with specific filter: Response {"pRecords":{"KLCSP_ITERATOR_ARRAY":[{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"ABE3CC21B521C704DA4FC63BD5698F71","dev_type":1}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"DISPLAY\\DEFAULT_MONITOR\\1&1F0C3C2F&0&UID256","dev_type":7}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"DISPLAY\\DEFAULT_MONITOR\\4&31BE19FA&0&UID0","dev_type":7}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"E05564F28A7EBE312D1326FD0D1A8479","dev_type":1}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"E69E8830E7D33F96BF1E21996A7D73CA","dev_type":0}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"PCI\\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\\3&18D45AA6&0&78","dev_type":4}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"PCI\\VEN_8086&DEV_10D3&SUBSYS_07D015AD&REV_00\\005056FFFF87CC6600","dev_type":6}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"Physical Memory 0","dev_type":2}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"SCSI\\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\\5&A629540&0&000000","dev_type":8}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"SCSI\\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\\5&1982005&0&000000","dev_type":3}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"SWD\\REMOTEDISPLAYENUM\\RDPIDD_INDIRECTDISPLAY&SESSIONID_0002","dev_type":4}}]}} Software Inventory Acquire software applications which are installed on specified host. (InventoryApi::GetHostInvProducts) "szwHostId" - WKS_HOSTNAME form previosly request InventoryApi::GetHostInvProducts curl -L -X POST "https://127.0.0.1:13299/api/v1.0/InventoryApi.GetHostInvProducts" -H "X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg==" -H "Content-Type: application/json" --data-raw "{ \"szwHostId\":\"c0816918-fbc5-4fbc-8fed-6f245756120e\", # KLHST_WKS_HOSTNAME from previuosly reqest \"pParams\":{\"KLEVP_EA_PARAM_1\":\"\"} }" Response info about software: Response {"PxgRetVal":{"GNRL_EA_PARAM_1":[{"type":"params","value":{"ARPRegKey":"{F4ECE08F-50E9-44E2-A2F3-2F3C8DDF8E16}","CleanerProductName":"","Comments":"","DisplayName":"Kaspersky Endpoint Security for Windows","DisplayVersion":"11.7.0.669","HelpLink":"https://click.kaspersky.com/?hl=en&link=support&pid=kes&version=21.4.20.669","HelpTelephone":"","InstallDate":"20211002","InstallDir":"C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\\","InstanceID":{"type":"binary","value":"AA=="},"LangId":1033,"PackageCode":"","ProductID":"4E8A2680B3C78565814848DB5ED35C83","Publisher":"AO Kaspersky Lab","QuietUninstallString":"msiexec.exe /X {F4ECE08F-50E9-44E2-A2F3-2F3C8DDF8E16} /quiet /norestart","UninstallString":"msiexec.exe /x {F4ECE08F-50E9-44E2-A2F3-2F3C8DDF8E16}","VapmBuild":{"type":"long","value":0},"bIsMsi":true}},{"type":"params","value":{"ARPRegKey":"{8c3f057e-d6a6-4338-ac6a-f1c795a6577b}","CleanerProductName":"","Comments":"","DisplayName":"Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.20.27508","DisplayVersion":"14.20.27508.1","HelpLink":"","HelpTelephone":"","InstallDate":"20210512","InstallDir":"","InstanceID":{"type":"binary","value":"AA=="},"LangId":0,"PackageCode":"","ProductID":"2E30B54FFAFE11F6DEDB0A31EA8CD6D1","Publisher":"Microsoft Corporation","QuietUninstallString":"\"C:\\ProgramData\\Package Cache\\{8c3f057e-d6a6-4338-ac6a-f1c795a6577b}\\VC_redist.x86.exe\" /uninstall /quiet","UninstallString":"\"C:\\ProgramData\\Package Cache\\{8c3f057e-d6a6-4338-ac6a-f1c795a6577b}\\VC_redist.x86.exe\" /uninstall","VapmBuild":{"type":"long","value":0},"bIsMsi":false}}, ....... Tasks Operations #strTask - open task in nmc-web-console - 1326 (for example: https://localhost:8080/#/management/tasks/148) Get Task Acquire attributes of specified task. (Tasks::GetTask) Response Response {"PxgRetVal":{"DisplayName":"KEA - Isolation ON","PRTS_TASK_CREATION_DATE":{"type":"datetime","value":"2022-02-10T13:57:34Z"},"TASKID_PRODUCT_NAME":"1093","TASKID_VERSION":"1.0.0.0","TASK_NAME":"Remote Installation","TASK_UNIQUE_ID":"1326"}} Run task Run remote installation task. Start specified task. Tasks::RunTask curl -L -X POST "https://127.0.0.1:13299/api/v1.0/Tasks.RunTask" -H "X-KSC-Session: nGPT3zYhYOveOJ9qnbRAjpQ==" -H "Content-Type: application/json" --data-raw "{ \"strTask\":\"1326\" # From NWC-web-cosnole ksc }" Update Task Get Data Task Acquire task settings. Tasks::GetTaskData GetData Task curl -L -X POST "https://localhost:13299/api/v1.0/Tasks.RunTask" -H "X-KSC-Session: nGPT3zYhYOveOJ9qnbRAjpQ==" -H "Content-Type: application/json" --data-raw "{ \"strTask\":\"1326\" }" Response all parameters and some of them we must use in next request. Modify task settings. Tasks::UpdateTask Update Task POST /api/v1.0/Tasks.UpdateTask HTTP/1.1 Host: localhost:13299 X-KSC-Session: n8quj71CtoWbYijcBHY6FvA== Content-Type: application/json Content-Length: 3477 { "strTask":"1338", "pData":{ "TASKID_COMPONENT_NAME":"87", "TASKID_PRODUCT_NAME":"1093", "TASKID_VERSION":"1.0.0.0", "TASK_NAME":"Remote Installation", "TASKSCH_TYPE":0, "TASK_ADDITIONAL_PARAMS":{"type":"params","value":{"KLNAG_TASK_REMOTE_INSTALL_ACCOUNT":"","KLNAG_TASK_REMOTE_INSTALL_ACCOUNT_PSWD":{"type":"binary","value":""},"KLSRV_COUPLED_NAGT_TSID":"9066e3c9-c709-434f-9196-88dcf4c70c23","KLTSK_RI_CHECK_OS":true,"KLTSK_RI_GROUP_TO_MOVE_HOST":-1,"KLTSK_RI_MAX_DOWNLOADS":5,"KLTSK_RI_MGD_BY_OTHER_SERVER":0,"KLTSK_RI_PACKAGES_GUIDS":["e71217d1-4a96-462c-a56a-6112bdc5369b:65"],"KLTSK_RI_PACKAGES_IDS":[65],"KLTSK_RI_ROOT":{"type":"binary","value":""},"KLTSK_RI_SKIP_PRESENT_PRODS":true,"KLTSK_RI_TMP_FOLDER":"","KLTSK_RI_USE_NAGENT":true,"KLTSK_RI_USE_SHARE":true,"KLTSK_RI_USE_SHARE_SRV":true,"KLTSK_RI_USE_SHARE_UA":false,"MaxTryCount":3,"UseGPO":false,"klprts-TaskAccountUser":"","klprts-TaskAccounts":[],"klprts-TaskMaxRunningTime":7200000,"klprts-TaskStorageId":"dd64d20d-c529-4d47-a854-38c1c2c77a77"}}, "PRTS_TASK_GROUPID":-1, ".HstQueryId":0, "TASK_INFO_PARAMS":{"type":"params","value":{"DisplayName":"KEA - Isolation ON for specific host","HostList":[{"type":"params","value":{"HostDispName":"WIN10-KES-11OLD","HostName":"6294f978-292d-4b5f-aa57-bb429147687b","Preliminary":false}},{"type":"params","value":{"HostDispName":"ATM-01","HostName":"ba973373-8120-47a0-9989-686cba2430af","Preliminary":false}}],"KLEVP_NOTIFICATION_DESCR_ID":"9b84b28a-e47b-4120-8147-bb67fef681ea","KLPRSS_EVPNotifications":{"type":"params","value":{"ERR":[{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}],"INF":[{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":2}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLEVP_GroupTaskSyncState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":4}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":1}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}],"WRN":[{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}]}},"KLSRV_PRTS_TASK_ENABLED_FLAG":true,"KLTSK_ALLOW_AUTO_RANDOMIZATION":true,"PRTS_TASK_CREATION_DATE":{"type":"datetime","value":"2022-02-15T11:40:43Z"},"PRTS_TASK_GROUPID":-1,"PRTS_TASK_TARGET_COMPUTERS_TYPE":0,"klprts-DontApplyToSlaveServers":true,"klprts-TaskMaxRunningTime":7200000,"klprts-TaskScheduleSubtype":256,"klprts-TaskScheduleSubtypeEx":0}} } } Change values for HostList and enter specific host. For example: "HostList":[{"type":"params","value":{"HostDispName":"WIN10-KES-11OLD","HostName":"6294f978-292d-4b5f-aa57-bb429147687b","Preliminary":false}},{"type":"params","value":{"HostDispName":"ATM-01","HostName":"ba973373-8120-47a0-9989-686cba2430af","Preliminary":false}}] { "strTask":"1338", "pData":{ "TASKID_COMPONENT_NAME":"87", "TASKID_PRODUCT_NAME":"1093", "TASKID_VERSION":"1.0.0.0", "TASK_NAME":"Remote Installation", "TASKSCH_TYPE":0, "TASK_ADDITIONAL_PARAMS":{"type":"params","value":{"KLNAG_TASK_REMOTE_INSTALL_ACCOUNT":"","KLNAG_TASK_REMOTE_INSTALL_ACCOUNT_PSWD":{"type":"binary","value":""},"KLSRV_COUPLED_NAGT_TSID":"9066e3c9-c709-434f-9196-88dcf4c70c23","KLTSK_RI_CHECK_OS":true,"KLTSK_RI_GROUP_TO_MOVE_HOST":-1,"KLTSK_RI_MAX_DOWNLOADS":5,"KLTSK_RI_MGD_BY_OTHER_SERVER":0,"KLTSK_RI_PACKAGES_GUIDS":["e71217d1-4a96-462c-a56a-6112bdc5369b:65"],"KLTSK_RI_PACKAGES_IDS":[65],"KLTSK_RI_ROOT":{"type":"binary","value":""},"KLTSK_RI_SKIP_PRESENT_PRODS":true,"KLTSK_RI_TMP_FOLDER":"","KLTSK_RI_USE_NAGENT":true,"KLTSK_RI_USE_SHARE":true,"KLTSK_RI_USE_SHARE_SRV":true,"KLTSK_RI_USE_SHARE_UA":false,"MaxTryCount":3,"UseGPO":false,"klprts-TaskAccountUser":"","klprts-TaskAccounts":[],"klprts-TaskMaxRunningTime":7200000,"klprts-TaskStorageId":"dd64d20d-c529-4d47-a854-38c1c2c77a77"}}, "PRTS_TASK_GROUPID":-1, ".HstQueryId":0, "TASK_INFO_PARAMS":{"type":"params","value":{"DisplayName":"KEA - Isolation ON for specific host","HostList":[{"type":"params","value":{"HostDispName":"WIN10-KES-11OLD","HostName":"6294f978-292d-4b5f-aa57-bb429147687b","Preliminary":false}},{"type":"params","value":{"HostDispName":"ATM-01","HostName":"ba973373-8120-47a0-9989-686cba2430af","Preliminary":false}}],"KLEVP_NOTIFICATION_DESCR_ID":"9b84b28a-e47b-4120-8147-bb67fef681ea","KLPRSS_EVPNotifications":{"type":"params","value":{"ERR":[{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}],"INF":[{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":2}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLEVP_GroupTaskSyncState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":4}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":1}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}],"WRN":[{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}]}},"KLSRV_PRTS_TASK_ENABLED_FLAG":true,"KLTSK_ALLOW_AUTO_RANDOMIZATION":true,"PRTS_TASK_CREATION_DATE":{"type":"datetime","value":"2022-02-15T11:40:43Z"},"PRTS_TASK_GROUPID":-1,"PRTS_TASK_TARGET_COMPUTERS_TYPE":0,"klprts-DontApplyToSlaveServers":true,"klprts-TaskMaxRunningTime":7200000,"klprts-TaskScheduleSubtype":256,"klprts-TaskScheduleSubtypeEx":0}} } } Run Task Host Events Create event processing iterator with filter (EventProcessingFactory::CreateEventProcessing2 ) pFilter (params) object containing values for attributes to filter events. Only events with matching attribute values will be returned. If empty all events will be returned. See List of event filter attributes for attribute names. "GNRL_EA_SEVERITY" paramInt Event severity. May have the following values: 0 - Constant to be used as invalid event severity value 1 - Severity "Information" 2 - Severity "Warning" 3 - Severity "Error" 4 - Severity "Critical" vecFieldsToReturn (array) array of attribute names to return. See List of event attributes for attribute names #host id - FindHost EventProcessingFactory::CreateEventProcessing2) POST /api/v1.0/EventProcessingFactory.CreateEventProcessing2 HTTP/1.1 Host: localhost:13299 X-KSC-Session: nvLZ4Hwi5VAL7XIiMwPaxPw== Content-Type: application/json Content-Length: 440 { "pFilter": { "KLEVP_EVENT_HOST":"a537ddc0-b84b-488a-993c-9f76e62036e9", #host id "GNRL_EA_SEVERITY":4 #Critical Event }, "vecFieldsToReturn": [ "GNRL_EA_SEVERITY", "event_db_id", "rise_time", "hostname", "event_type", "event_type_display_name", "GNRL_EA_DESCRIPTION", "group_id", "group_name" ], "vecFieldsToOrder": [], "lifetimeSec": 1000 } Response ID Response {"strIteratorId":"A07B69A5347CF435DB66C0FA826371FF"} Get result from Response data ( ReportManager::GetStatisticsData) : EventProcessing::GetRecordRange curl --location --request POST 'https://localhost:13299/api/v1.0/EventProcessing.GetRecordRange' --header 'X-KSC-Session: nT0T9KvkIKlgHGGaZ60j38Q==' --header 'Content-Type: application/json' --data-raw '{ "strIteratorId":"A07B69A5347CF435DB66C0FA826371FF", "nStart": 0, "nEnd": 100 }' Response critical events: Response {"pParamsEvents":{"KLEVP_EVENT_RANGE_ARRAY":[{"type":"params","value":{"GNRL_EA_DESCRIPTION":"Event type: KSN servers unavailable\r\nName: avp.exe\r\nApplication path: C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\r\nProcess ID: 18446744073709551615\r\nUser: SALES\\markovets (Active user)\r\nComponent: Protection","GNRL_EA_SEVERITY":4,"event_db_id":{"type":"long","value":119829},"event_type":"000007e7","event_type_display_name":"KSN servers unavailable","group_id":5,"group_name":"KEDR-O","hostname":"a537ddc0-b84b-488a-993c-9f76e62036e9","rise_time":{"type":"datetime","value":"2022-03-04T09:10:44Z"}}},{"type":"params","value":{"GNRL_EA_DESCRIPTION":"Event type: KSN servers unavailable\r\nName: avp.exe\r\nApplication path: C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\r\nProcess ID: 18446744073709551615\r\nUser: SALES\\markovets (Active user)\r\nComponent: Protection","GNRL_EA_SEVERITY":4,"event_db_id":{"type":"long","value":119818},"event_type":"000007e7","event_type_display_name":"KSN servers unavailable","group_id":5,"group_name":"KEDR-O","hostname":"a537ddc0-b84b-488a-993c-9f76e62036e9","rise_time":{"type":"datetime","value":"2022-03-04T09:05:34Z"}}},{"type":"params","value":{"GNRL_EA_DESCRIPTION":"Event type: KSN servers unavailable\r\nName: avp.exe\r\nApplication path: C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\r\nProcess ID: 18446744073709551615\r\nUser: SALES\\markovets (Active user)\r\nComponent: Protection","GNRL_EA_SEVERITY":4,"event_db_id":{"type":"long","value":119807},"event_type":"000007e7","event_type_display_name":"KSN servers unavailable","group_id":5,"group_name":"KEDR-O","hostname":"a537ddc0-b84b-488a-993c-9f76e62036e9","rise_time":{"type":"datetime",........ Close Session to KSC (Session::EndSession) : Session::EndSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.EndSession' --header 'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A==' #PxgRetVal from Session.StartSession
  1. Load more activity


×
×
  • Create New...