All Activity

Да, наверное. Ну и в главном окне продукта висит. В ветке репорта проблеме выставлен приоритет 4 (самый низкий), и вообще она закрыта для обсуждения. Так что ничего тут такого особенного разрабы AG не видят. Это больше пользователи возмущаются.)

Description You can face an issue like this on Events page in KWTS: Sometimes the search on the Events page works correctly. Sometimes not.. If you collect har-file (HOW TO) from Events page with reproduced issue you will see an error also in it: Also you can find an error in diagnostic_info\logs\var\log\kaspersky\kwts\extra\webapi.log: celery.backends.base.SoftTimeLimitExceeded: SoftTimeLimitExceeded(True,) Then you should check Maximum event log size (https://support.kaspersky.com/KWTS/6.1/en-US/174773.htm) in settings here: diagnostic_info\klinfo\worker_settings.xml Maximum event log size set to 10 GB. How to solve a problem You should set it to 9 GB. The KWTS architecture is not designed for a large event database size.

Don't forget to install 6.0.1 and 6.0.2 patch, which fixes some bugs in ICAP integration. Description and cautions Since we have new ICAP working modes, presented in KATA 6.0 - https://support.kaspersky.ru/KATA/6.0/en-US/247269.htm , we would like to show you, how to configure such integration on example of squid proxy server. Added ICAP integration with feedback. ICAP integration with feedback can work in two modes: Standard scan. In standard scan mode, the object is scanned by all supported technologies. While being scanned by the Sandbox component, the object remains available. If a threat is detected, the object is blocked. Advanced scan. In the advanced scan mode, objects are scanned by all supported technologies. While being scanned by the Sandbox component, the object is not available. If a threat is detected, the object is blocked. Details Reminder - this is just an example, but working one:) Squid configuration part Assuming you already have squid installed with default configuration (of course, yours could be different according to your infrastructure), add following lines in the end of /etc/squid/squid.conf (surely, change the IP address to yours) icap_enable on adaptation_send_username on adaptation_send_client_ip on icap_service kata_req reqmod_precache icap://10.68.56.219:1344/av/reqmod icap_service kata_resp respmod_precache icap://10.68.56.219:1344/av/respmod adaptation_access kata_req allow all adaptation_access kata_resp allow all icap_service_failure_limit -1 The only thing we changed here as well is at the start of squid.conf - source subnet, in order to adapt server to our Lab # # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.68.56.0/23 We also recommend to add these lines below as well, so you would be able to analyze ICAP logs logformat icap_squid %tl %6tr %rm %ru %rp %6icap::tr %>a %icap::to/%03icap::Hs %icap::rm %icap::ru %un %icap::<A %icap::<st %icap::>st %icap::<bs %icap::>h %icap::<h %icap::tr %icap::tio icap_log /var/log/squid/icap.log icap_squid ICAP logs are located at /var/log/squid/icap.log and look like So the whole picture should look like this Testing part If standard scan mode is enabled, let's check on KATA side, how it looks like in /var/log/kaspersky/services/preprocessor_icap/preprocessor_icap.log grep --color 'blocking_simple mode' | grep 'verdict' In this example we can see that from URL file was scanned with verdict: clean (whitelist) 09:41:46.697 INF 137781 server/source/file_handler_respmod.cpp:435 [sid: 0x0000004d] RESPMOD: Finish processing file in blocking_simple mode (request url: 'r3.o.lencr.org', size: 503, filename: 'baf664a8a7841e1d057f5ab0da58bcf0', uuid: 5cc2d18781924f98b6e4961494125616, md5: baf664a8a7841e1d057f5ab0da58bcf0, format: GeneralBin), processing time: 0.147ms, verdict: clean (whitelist) File from URL with verdict: clean (cached) 09:40:14.476 INF 137778 server/source/file_handler_respmod.cpp:435 [sid: 0x0000004a] RESPMOD: Finish processing file in blocking_simple mode (request url: 'detectportal.firefox.com/success.txt?ipv6', size: 8, filename: 'success.txt', uuid: 25f155a67eff4a4a90b33dbbb4f3367c, md5: ae780585f49b94ce1444eb7d28906123, format: GeneralTxt), processing time: 0.124ms, verdict: clean (cached) URL with verdict: good (KSN) 09:42:37.334 INF 137780 server/source/file_handler_reqmod.cpp:187 [sid: 0x0000004c] REQMOD: Finish processing url in blocking_simple mode ('box.kaspersky.com'), processing time: 3ms, verdict: good (KSN) File from URL verdict: clean (scanned) 09:35:14.691 INF 137770 server/source/file_handler_respmod.cpp:435 [sid: 0x00000042] RESPMOD: Finish processing file in blocking_simple mode (request url: 'detectportal.firefox.com/success.txt?ipv4', size: 8, filename: 'success.txt', uuid: 4c87c81cf3d543ceb6694d917329d2b8, md5: ae780585f49b94ce1444eb7d28906123, format: GeneralTxt), processing time: 124.894ms, verdict: clean (scanned) URL with verdict: bad (KSN) 10:05:18.354 INF 137802 server/source/file_handler_reqmod.cpp:187 [sid: 0x00000062] REQMOD: Finish processing url in blocking_simple mode ('kaspersky.com/test/wmuf'), processing time: 146ms, verdict: bad (KSN) If advanced scan mode is enabled, let's check on KATA side, how it looks like in /var/log/kaspersky/services/preprocessor_icap/preprocessor_icap.log grep --color 'blocking_advanced mode' | grep 'verdict' Picture is pretty the same, but from browser side you will see that object is blocked/inaccessible 10:54:01.341 INF 139635 server/source/file_handler_reqmod.cpp:187 [sid: 0x0000000e] REQMOD: Finish processing url in blocking_advanced mode ('bug.qainfo.ru/test_cloud/wmuf'), processing time: 27ms, verdict: bad (KSN) 10:54:20.467 INF 139635 server/source/file_handler_reqmod.cpp:187 [sid: 0x0000000e] REQMOD: Finish processing url in blocking_advanced mode ('secure.eicar.org:443'), processing time: 0ms, verdict: good (KSN) 10:50:45.303 INF 139632 server/source/file_handler_respmod.cpp:435 [sid: 0x0000000b] RESPMOD: Finish processing file in blocking_advanced mode (request url: 'ocsp2.globalsign.com/gsorganizationvalsha2g3', size: 1461, filename: 'gsorganizationvalsha2g3', uuid: f88dd52252da4fdf8aaabc3aafdbdb0a, md5: 9a3ec48893b2952f013e03311b878e18, format: GeneralBin), processing time: 0.346ms, verdict: clean (whitelist) During tests at KATA web UI you should see activity on ICAP dashboard and under Security office we can see two alerts, generated after our tests (10.68.56.227 is squid IP address) In real world, of course, you will see other detects as well, for instance, on infected objects and malicious URLs.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem You change the account of the administration server service via the klsrvswch tool. Note that this is the only way to change the account, manual modification (for example, via services.msc) is not supported. Then, the you run the Install required updates and fix vulnerabilities task. As a result, the task is cancelled and updates are not installed. Diagnostics The following error can be found in $klserver-1093.log: 20.11.2023 10:26:16.683 00000ADC.000028C0 L4 KLSTD: Error 0x5 accessing the file 'C:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer\#WSUS#', m_dwWin32Access=0x80000000, m_dwWin32Creation=0x3, m_dwWin32Flags=0x8000000 20.11.2023 10:26:16.683 00000ADC.000028C0 L1 KLSTD: Error ERROR_ACCESS_DENIED (attempt 186 from 300) for the file 'C:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer\#WSUS#' When checking permissions of the file C:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer\#WSUS#, it lacks the new service account assigned to the kladminserver service: In this example, the Administration Server account is the old service account used to start the KSC service. Workaround Add the new KSC Service account or the KLAdmins group to the access control list of the #WSUS# file and grant it full access:

Versions Applicable to versions above 5: 5.0, 5.1, 6.0, 6.0.1, etc. You can fancy access log-history logs (former apt-history) directly for convenience purposes or if the kata-collect-siem-logs tool is malfunctioning for some reason. These logs are in gzip, sorted by dates, as files with names in format: /data/volumes/s3proxy/log-history/YYYY-MM-DD-HH-MM-SS, where YYYY-MM-DD-HH-MM-SS is the datetime. basename -a /data/volumes/s3proxy/log-history/2024* 2024-01-01-13-55-03 2024-01-17-12-00-14 2024-01-17-12-05-14 To access these logs, use the respective zless; zgrep; zcat tools. For example: zcat /data/volumes/s3proxy/log-history/2024-01-17-12-05-14 2024-01-17 12:00:59.924639 info apt-history: New IDS alert: {id: 63, importance: High, hidden: False, rule_id: 51310592, excluded rule: False, src: 18.156.136.240:80, dest: 10.63.100.252:2198, bases_version: 202401170033} Bonus: you can also use these tools to read rotated logs of kataservices in /var/log/kaspersky/services/: zgrep "FileNotFoundError" /var/log/kaspersky/services/web_backend/web_backend.log.1

Versions Applicable to versions later than 5.0, 5.1, 6.0, 6.0.1, etc. Problem There are several cases where the standard method of changing interface network settings via the Web UI is not available, e.g. the Web UI is inaccessible. Solution Become root, save the nodes settings: sudo su console-settings-updater get /deploy/deployment_api/nodes | python3 -m json.tool > /tmp/nodes Open the saved file for editing: vim /tmp/nodes Locate the desired network_settings, ifaces node, change the values tat you need to change: { "cc2cx0fltsjmxolid99p5loen": { "id": 1, "hostname": "1.srv.node1.node.dyn.kata", ... "network_settings": { "ifaces": [ { "iface_name": "ens160", "configuration_type": "static", "span": false, "address": "10.68.56.215", "netmask": "255.255.254.0", "gateway": "10.68.56.1", "mac": "00:50:56:a5:39:f6" }, { "iface_name": "ens192", "configuration_type": "static", "address": "100.100.100.100", "netmask": "255.255.255.0", "gateway": "100.100.100.1", "mac": "00:50:56:a2:5a:f6" } ] } } } Save your changes and exit Vim. Verify that the JSON structure is valid (the command returns no errors): cat /tmp/nodes | python3 -m json.tool Import the modified settings back: console-settings-updater set /deploy/deployment_api/nodes @/tmp/nodes

Description Here's how to install KATA 6.0 Ubuntu edition in KVM environment - https://support.kaspersky.ru/KATA/6.0/en-US/265697.htm In the example below we use RHEL 9.3, installed as VM in VMware Workstation Pro 17.0 Step-by-step guide First, you have to install QEMU/KVM , all steps are described HERE Then install from Software application Virtual Machine Manager, here it's 4.1.0 version. After successful installation just open up Virtual Machine Manager application, and click on the icon "Create a new virtual machine" Assuming, you have KATA Ubuntu ISO locally in OS, choose option below and click "Forward" Click "Browse" and "Forward" Click "Browse Local" Locate KATA Ubuntu ISO and click "Open" Next, do the steps as shown on picture below Click "Yes" Assign resources to VM according to THIS article (ignore our settings below, it's just a demo) and click "Forward" Configure a disk (ignore our settings below, it's just a demo) and click "Forward" Name your VM, select a network and click "Finish" Now you should see installation window, proceed like you usually do with standard KATA installation on VMware In this window select ONLY "single", cause KVM supports only this type of installation Select a disk and click "OK" Wait a bit and you should see that installation starts, and now you just have to wait for next step of installation/configuration Now select subnets (usually use default ones) by pressing Enter Choose network > assign IP (static or dhcp, in our example we use dhcp) > set password length and password itself > configure DNS servers Choose if you want capture traffic via SPAN (y or n) > configure NTP servers That's it, KATA installed Now you can login to web UI and configure server, in our example IP of server is 192.168.122.47, let's login to https://192.168.122.47:8443 and voila "Configure" and wait for completion

Scenario: KATA/EDR CN is integrated with the KPSN server, and you want to enrich the KPSN reputation database with the detections from the sandbox server. You can integrate a KATA Platform Central node with the KPSN reputation database and automatically populate it with information about the files that the sandbox technology finds to be dangerous and highly important. Pre-requisites: To configure sending checksums of the files detected by the sandbox technology to KPSN, you will need a certificate of a KPSN user account entitled to use KPSN API. Download the certificate (both parts, public and private) of a KPSN user who has permission to use KPSN API from the user’s profile in the KPSN web console. The KPSN administrator has the required permissions, but a pair of encryption keys of any user allowed to access the KPSN API will do as well. and key from the user’s profile from the KPSN web interface. You can provide the API access to the required user from KPSN Web UI → Users → and the API option should be enabled under permissions. To send the sandbox detections to KPSN: In the central node administrator’s console, open Settings | KPSN reputation database and specify: HOST – IP address of the KPSN server where the local KPSN reputation database is stored; TLS Certificate – a certificate for the user authentication in KPSN; TLS encryption key – private encryption key; There are two or more servers with different roles in a typical KPSN installation. A KPSN server can have several roles. Specify the IP address of the KPSN server that has the Monitoring Service role. In the Central node console of a senior security office, open Settings | KPSN reputation database and select the checkbox to Assign the ‘Untrusted’ status to objects. You can upload the test file to the KATA Central node for scanning, once the file is detected by Sandbox component, the checksum of the detected file will be published in the KPSN local reputation database. The KPSN administrator can manually create records in the KPSN reputation database. A record added by KATA/EDR has the KATA tag in the description. You cannot delete the KATA records, but you can disable them. Below screenshot display the samples hashes added in the KPSN Reputation database from the KATA server.

Description and cautions One may need to change the admin account's password (the account used for SSH login). KATA 5.0 For KATA 5.0 this article is not applicable. No option to change Local Administrator/ Cluster Administrator in pseudo-graphic menu available by default in 5.0 See https://forum.kaspersky.com/topic/how-to-reset-kata-web-administrator-password-in-kata-50-katakedre-36844/ Details In case of standalone Central node: Login to the web-interface of the CN. Enter admin credentials (used for SSH login). Go to admin account > change password as per below In case of Distributed deployment (PCN and SCN): Login to the web-interface of PCN. Enter admin credentials (used for SSH login). Go to admin account -> change password Login to SCN via SSH and change using the pseudographic menu ("Change cluster admin password..." option)

The KESMac 12 and the KESMac 11.3 patch C allows adding particular processes into the trusted section named Trusted Applications. The both filesystem and network activity of which can be ignored by the product increasing performance. Please, however, note that this could be potentially risky. https://support.kaspersky.com/KESMac/11.3_adminguide/en-US/194142.htm Problem This article will describe a few ways to configure KES for Mac to exclude some of the software from the scope of the product. Solution Trusted applications In order to have an ability to exсlude an application from scanning with KES, a function of Trusted Applications available in Kaspersky Endpoint Security for Mac can be used: The Trusted applications section as seen in the policy creation wizard. Naturally, it can be configured later by modifying the policy. Update the plugin to at least version 11.3.0.33 to get the new functionality. In some specific cases it might be required to put several binaries to Trusted Applications simultaneously in order to take effect. So, a final solution might include several path-based exclusions accompanied by a few BundleID-based ones. Trusted Applications are only available for configuration via KSC policy; i.e. it is currently impossible to add application to exclusions having no KSC installed. Additionally, an appropriate application control plug-in for KESMac must be downloaded and installed on the KSC prior to using Trusted Application functionality. It can be found on the corresponding download page. Common exclusions for developers It's suggested excluding the following paths: "/Library/Developer/CommandLineTools" and "/Library/Toolchains" for the standard developers' utilities, as well as the "/Applications/Xcode.app/*" for the XCode. At the same time, in case you use alternative tools, contact Kaspersky Support to get the exact paths for further exclusions. Excluding TCP 443 from port monitoring Additionally, in case of HTTPS-connectivity issues, unchecking port 443 in Monitored ports may also help:

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem Description, Symptoms & Impact KES File Threat Protection sometimes can't check Microsoft office documents from mounted Google Drive shares, therefore generating Processing error events. This issue is caused by an incompatibility between Google Drive VFS driver and KES. There are no plans on making KES compatible with Google Drive. Workaround & Solution As a workaround, add files with Office extensions stored on the share to exclusions, this shouldn't lower protection, because Office creates a temporary copy of a document when it is opened, which will not be in the exclusion scope and will still be checked. Example for .xlsx files: Path\to\google\drive\folder\*.xlsx, where Path\to\google\drive\folder is replaced with an actual path.

This article will help you to check EDRO component correct installation and integration. What you need to know about EDRO 1 EDRO working with KES 11.7+, KSWS 11.0.1 and KSV LA 5.2 (Windows only), so called EPP https://support.kaspersky.com/KEDR_Optimum/2.3/en-US/216855.htm 2 You must use NWC for EDRO 3 You can't use only KEA for EDRO scenario. It always integrates with EPP. How to check that EDRO component installed correctly First of all you need to check whether KEA component was installed or not. And if it's installed then was it integrated with EPP. KES Starting with KES 11.7 EDRO agent is integrated in the KES. First of all, check component status in MMC or NWC MMC NWC If you see Not supported by license, pay attention to the version. If you see 0.0.0.0 or N/A, it means that component is not installed. Not supported by license doesn't mean that there is no license for EDRO, it may mean that component is not installed on the host. When component is installed but not activated, you'll see installed component version: MMC NWC If component was installed and was not activated, it will look like this in the KES GUI: If component is not installed, then there will be no Detection and Response section in the KES GUI (in case MDR is installed, then there will be section Detection and Response, but there will be no Endpoint Detection and Response Optimum like you see above). How to check EDRO license in the KES UI You can check license components in the KES GUI. If there is no Optimum word, license do not support EDRO. For example: And there's an example when license key supports EDRO: KSWS During KSWS installation you must enable Endpoint Agent, even if KEA was already installed on the host. KSWS detects it and enables connector with existing KEA (KEA will not be reinstalled). This is how correctly installed KSWS + KES looks like in the MMC: And if it not installed: KSV LA There is no change components task. You can change them only during the upgrade or installation. Reinstallation requires reboot. During installation you need to choose Custom installation and enable integration with KEA Remember that you can enable integration in the installation package properties in the KSC. How to check NWC setup for EDRO What to do if there is no Alerts section in the NWC. How it looks If there is no Alerts section in the WEB UI Go to the settings: And enable EDR alerts: In the KSC NWC there will be EDRO plugin by default. It installs with the console. So the only way to reinstall it - reinstall NWC. How detection looks without installed EDRO component If you see detection but without enriched information, you'll see it like this: In the Enrichment and response section you'll see only Basic. It means where was a detection but no additional information about it was collected. Main reason why this may happen is that there's no EDRO component on the host.

Step-by-step guide You need a Mac device to collect iOS device log via Apple Configurator. Download Apple configurator via App Store. Run Apple Configurator. Connect your iOS device. Unlock the device and tap Trust. Open the iOS device → Console. Reproduce the issue. Save the log in Apple configurator. Try to save the log as soon as possible after you reproduce the issue, because the log is constantly being overwritten. Send the collected log file to Kaspersky support for further analysis.

Problem Description, Symptoms & Impact Sometimes an error might occur when installing KSE: KseCheckServicePortIsFreeActionStep has completed with an error: Service network port 13100 is occupied by another application… Diagnostics Screenshot or KSEInfoCollector. Make sure that port 13100 is open and not used by any application, and repeat the installation. This can be done using the command below. You will see a chart with a process ID (PID column) next to the address and port: netstat -aon | findstr 13100 You can then find this process by the ID in Task Manager or using the command below. Use the process ID you found in the previous command instead of the %PID% below: tasklist /fi "pid eq %PID%" Example tasklist /fi "pid eq 18060" Workaround & Solution There's no way to change the port used by KSE. So, the only option here is to free the port used by an application and repeat the installation. Sometimes ISS or W3WP.exe might be using the port. In some cases, this port is occupied after the Exchange updates, and the port should be released after the server restart. RCA Some application is using the port 13100.

Problem In previous versions of KATA it was possible to mount an NFS share to copy backups to. In KATA 5.x only CIFS share mounts are available out-of the box. Error root@1.srv.node1.node.dyn.kata:/home/admin# mount -t nfs 10.225.62.41:/mnt/NFS/KXDR /mnt/nfs mount: /mnt/nfs: bad option; for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount.<type> helper program. Solution Install packages manually via dpkg in the following order to add NFS support: dpkg -i /home/admin/libtirpc-common_1.2.5-1_all.deb dpkg -i /home/admin/libtirpc3_1.2.5-1_amd64.deb dpkg -i /home/admin/keyutils_1.6-6ubuntu1_amd64.deb dpkg -i /home/admin/libnfsidmap2_0.25-5.1ubuntu1_amd64.deb dpkg -i /home/admin/rpcbind_1.2.5-8_amd64.deb dpkg -i /home/admin/nfs-common_1.3.4-2.5ubuntu3.5_amd64.deb

Problem description: After generating the client certificate on central node and upload it to KES policy, you can get the below error: Enter a crypto-container password to use the certificate. Note: If you are using KEA as a standalone product with KEA policy, you can upload the client certificate properly. Root cause: By default, the cryptographic container is not password-protected. The cryptographic container contains only the certificate file, but not the private key file. KES policy does not apply certificate without password (only KEA does). Solution: Access the central node SSH under root account 1) Export you current certificate to a passwordless pem type: #openssl pkcs12 -in mycert.pfx -out tmpmycert.pem -nodes Enter Import Password: <Enter no password> MAC verified OK 2) Convert the passwordless pem to a new pfx file with password: #openssl pkcs12 -export -out mycert2.pfx -in tmpmycert.pem Enter Export Password: <Enter password here> Verifying - Enter Export Password: <Enter password here> Now you can use the new mycert2.pfx file with your new password.

То есть все-таки это периодическое уведомление в продукте. Которое невозможно навсегда отключить.

Problem While WTP/NTP is enabled, nft utility produces errors (stderr) like # nft list ruleset XT target TPROXY not found XT target TPROXY not found XT target TPROXY not found XT target TPROXY not found These errors are caused by a bug in nft utility and xt_TPROXY dynamic library. This effect does not indicate functionality issues. This bug may be reported to netfilter.org developers. Explanation Whenever nft utility lists traffic rules, it dynamically loads extension libraries (for example, from /usr/lib/x86_64-linux-gnu/xtables in Debian OS) including TPROXY and CONNMARK. When nft encounters first ipv4 rule, it sets global "family=ipv4" state via xtables_set_nfproto function, then loads libxt_TPROXY.so which has both ipv4 and ipv6 targets, but ipv6 are ignored due to the flag. After that, nft processes ipv6 rules but there are no ipv6 targets for them. As a result, nft utility produces errors "XT target TPROXY not found".

Issue: Some log files in KWTS take up a lot of disk space. Log rotation for these files does not work For example: Information Information about logs sizing and rotation you can find in files in /etc/logrotate.d folder on the KWTS server. The size of log files should be no more than: Log file In what file it described Size of a log file should be no more than: All files in /var/log/kaspersky/kwts/extra/ /etc/logrotate.d/kwts 100 MB /var/log/kwts-messages /etc/logrotate.d/kwts-syslog 500 MB /var/log/kwts-important /etc/logrotate.d/kwts-syslog 50 MB /var/log/kwts-traces /etc/logrotate.d/kwts-syslog 500 MB /var/log/nginx/access.log /etc/logrotate.d/nginx 100 MB /var/log/nginx/error.log /etc/logrotate.d/nginx 20 MB /var/log/squid/icap.log /etc/logrotate.d/squid 100 MB /var/log/squid/ssl.log /etc/logrotate.d/squid 100 MB /var/log/squid/squid.out /etc/logrotate.d/squid 10 MB /var/log/squid/cache.log /etc/logrotate.d/squid 500 MB /var/log/squid/access.log /etc/logrotate.d/squid 500 MB /var/log/messages /etc/logrotate.d/syslog 100 MB /var/log/cron /etc/logrotate.d/syslog 10 MB /var/log/maillog /etc/logrotate.d/syslog 10 MB /var/log/secure /etc/logrotate.d/syslog 20 MB /var/log/spooler /etc/logrotate.d/syslog 1MB How to fix Actual result kwts-traces log-file has frown to 4 GB: Expected result kwts-traces file no more than 500 mb How to fix Be prepared that you will need to reboot the server and it will not process traffic while it is rebooting. And you need ssh-access to the KWTS server - https://support.kaspersky.com/KWTS/6.1/en-US/183526.htm Make sure that trace lever is in "Error" mode - https://support.kaspersky.com/KWTS/6.1/en-US/174877.htm Delete the largest log-files (in our case it is /var/log/kwts-traces) . If you need to clear additional disk space, you can delete large archive files if you are sure that you do not need the information in them Reboot the KWTS server and make sure that the deleted large files (/var/log/kwts-traces) are recreated Find out in table above in what file we can find information about kwts-traces rotation . It is kwts-syslog Execute following command logrotate -f -v /etc/logrotate.d/kwts-syslog &> logrotatef.log Make sure that all log-files which described in /etc/logrotate.d/kwts-syslog file were rotated. (You can see which log files are described in this file in the table above) What's next Kindly monitor that previously broken files (kwts-traces) do not exceed 500-600 MB. If it continues to grow and is already 700 MB or more, then run the command /usr/sbin/logrotate -v -s /var/lib/logrotate/logrotate.status /etc/logrotate.conf &> logrotatestatus.log And send logrotatef.log file from step 6 and logrotatestatus.log file to Kaspersky Support. And also send diagnostic info in "Debug" level. Do not forget to change it back to "Error" level - https://support.kaspersky.com/KWTS/6.1/en-US/174877.htm

Problem Description, Symptoms & Impact The problem persists over different browsers, incognito mode and computers. The training status is "In Progress". The number of problematic users is small usually limited to 1-5. Diagnostics The issue usually presents itself on the student's (not admin's) side as a grey (non-active) button or a page that is not loading completely. Workaround & Solution Clear the cache and cookies in the browser. Pause the training for the problematic user and then restart the training.

Problem Description, Symptoms & Impact In KES 12.0, the way Device Control component works has been changed. See changelog: https://support.kaspersky.com/help/KESWin/12.0/en-US/127969.htm Due to these changes, you may notice that printing order becomes slow after you have upgraded KES to version 12.0 or higher. This delay may be around 30-60s or even 10-15 minutes. When you disable KES, it becomes instant. In some exceptional cases, the delay may be so big that it's impossible to print anything and the system hangs. The issue affects both local printers and network printers. Diagnostics First of all, test if the issue persists with Device Control component disabled. If it does, move any device to a separate group for testing, create a new default KES policy there and check if the issue persists on default policy or not. If everything is fine under default policy, this is a clear sign that something is wrong with your configuration. Additionally, try latest PF for KES and check if the issue persists on it. There are some optimizations there that fix some Device Control issues and it can improve the performance, but if the issue is in the policy configuration, it won't help much. Workaround & Solution Troubleshooting steps: Select a host for troubleshooting and move it to a test group Install latest pf on it and reboot check the situation Check if the issue is caused by Device Control component and if the issue persists if this component is disabled Check if the issue persists under main policy and under default policy Check policy configuration and check how many devices have been added to Trusted Devices list. If there are several hundred entries or more, try to find a way to reduce their amount. Please see this public article for more details: https://support.kaspersky.com/KESWin/12.1/en-US/38595.htm It states "it is not recommended to add more than 1000 trusted devices, as this can cause system instability." To reduce the list of trusted devices, you can use wildcard * for the same type of printer.

In NAgent 15, klmover was updated and now requires NAgent uninstallation password, if it is set in NAgent's policy. Right now the password can't be passed to klmover as an argument, but it can be supplied via echo: echo <password>|klmover -address <administration server ip> Because cmd doesn't parse quotes and spaces in echo properly, if klmover is started from cmd and the password contains characters requiring quotes, klmover should be run from powershell. Powerhell has a Start-Process command that allows to run a process as a different user, in this case it can be used in a batch script like this: cd "C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\" powershell -Command "Start-Process powershell '-Command echo <password>|.\klmover.exe -address <address>' -Verb RunAs" But if it is run as a scheduled task in a group policy, it would be better to set the task to run as a user with administrator privileges and set it to run with highest privileges. Previous NAgent klmover versions are not compatible with NAgent 15.

Problem Description, Symptoms & Impact Network security assessment tools detect multiple vulnerabilities in the SVMs. Workaround & Solution Below is a list of detected vulnerabilities and solutions or reasons why it can't be fixed. Open ports SVMs have ports 22 and 80 open for communication with the Deployment Wizard and providing updates to Light Agents respectively. They are hardcoded, and therefore can't be changed or closed without at least partially breaking functionality of the product. Browsable Web Directories SVMs use them to share updates with Light Agents, and Light Agents need to be able to check for updates. This is not a problem as there are only read-only Light Agent updates available there. Weak SSH encryption By default SVMs use weak ssh key exchange algorithms. To fix that without losing ability to configure the SVM via Deployment Wizard, add the following in /etc/ssh/sshd_config on SVMs: KexAlgorithms diffie-hellman-group-exchange-sha256

Scenario After the deployment of KSC in the environment, the Backup task fails with the following error using the KSC Backup task or klbackup utility (screenshot is below). All the permissions were correctly assigned on the shared folder, and ports were opened, but still the backup was failing. There were no blocking events in the Firewall traffic logs. Error -1963 ('Database connection is broken " 'Connection failure{08S01};' LastStataement='select type from sys.system_object where name = 'dsm_os_host_info';'" Root cause The issue was identified to be the IPS module of the Firewall (Fortinet/Paloalto) in the environment. When the backup task was initiated, the IPS module was blocking the SQL backup query with "SMB Injection/Attack" signatures. Solution Disable the IPS policy on the Firewall for KSC and MS SQL servers and the backup task will be completed successfully.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This article is about Kaspersky Endpoint Security for Windows (KES for Windows) The complete encryption procedure is as follows: 1. During authentication, a private key is generated based on the username and password 2. The private key is used to decrypt the user’s storage and extract the primary key 3. The primary key is checked against the identifier specified in the file header. If it matches, the file encryption key is extracted from the header. 4. The file contents are decrypted using the key obtained in the previous step. The operating system generates private key for file decryption based on the authentication credentials. Until you log in to the system, only the encrypted versions of files can be accessed, so their contents are unreadable. KES uses several types of keys to handle encrypted files: — Administration Server's public key is stored in the Network Agent distribution package and gets on the client computer when protection is deployed. — User’s private key is generated by the operating system based on the username and password. Private keys are not saved to the hard drive. The key stays the same if the account credentials remain the same. However, a new key is generated if the user or password changes. — Primary key is created on the client computer when FLE is enabled. This key is used to encrypt all files. A copy of the primary key is saved in the computer's key storage, which in turn is encrypted using the KSC's public key. It is also saved in all active users' key storages, which are encrypted using their private keys. Thus, after authentication, any user can decrypt his or her storage and access the primary key. — File encryption keys: a separate key is generated to encrypt each file When a file is encrypted, its name and other external attributes are not changed.