All Activity

Scenario: Phishing links are detected but some emails are allowed through, even though the selected Action is Move to Junk Email folder . Solution: The original e-mail was already located in the Junk folder when our product started to scan it. The "Allow through" action was performed, in this case it means that we've added the phishing tag to the e-mail and left it in the Junk folder. Most likely this e-mail was detected by some third-party anti-malware/phishing solution (Microsoft anti-malware filters in EWS, for example) and was moved to Junk, then we've scanned it and there was nothing to do with it except adding the tag to it.

In order to send messages from backup with headings without saving them, please navigate to:

Version: Kaspersky Security for Exchange 9.5.10000.64, 9.6.96 Scenario In Kaspersky Security 9.0 for Microsoft Exchange Servers there's the following error event: "AM Error Kernel: The Anti-Virus (Anti-Spam) module has been switched to limited scan mode for next 30 minutes. Some objects may be skipped without being scanned." The same error message appears on the KSE console: Solution Sometimes Exchange tries to give KSE more emails to check than KSE is able to to check. In order to prevent delays in mail delivery, the anti-virus or/and anti-spam engine switches to a special mode of operation called "Limited scan mode". This mode lasts for 30 minutes. During this period, some emails may be skipped for checking. The transition to normal mode is carried out automatically after the time specified above. You can find out about this mode of operation in our Online Help: https://support.kaspersky.com/KS4Exchange/9.6/en-US/28854.htm https://support.kaspersky.com/KS4Exchange/9.6/en-US/99915.htm https://support.kaspersky.com/KS4Exchange/9.6/en-US/28871.htm

Scenario Kaspersky Security for Exchange installation failed with the following error: "Failed to grant rights to run under a different name (impersonation) for Kse Watchdog Service". Solution If you get the error message about impersonation, execute the following command in PowerShell: Add-PsSnapin Microsoft.Exchange.Management.PowerShell.E2010 Remove-ManagementRoleAssignment KSE_IMPERSONATION -Confirm:$False Press the Retry button.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Version: Kaspersky Security for Exchange 9.0 MR5 (9.5.10000.64) Scenario The following error message appears: "Access denied. To manage application features, the user's account must be added to one of the following Active Directory groups: KSE Administrators KSE AV Security Officers KSE AV Operators KSE Security Officers." Solution This error means that the account under which the KSE management console is running is not part of any of the KSE management groups listed above in the error text. The user needs to decide what role the user’s account will perform and include this account in the corresponding KSE group created in their Active Directory (AD). You can learn more about the roles in our Online Help: https://support.kaspersky.com/help/KS4Exchange/9.5/en-US/81511.htm

Version: KSE for Microsoft Exchange Server versions 9.5.10000.64, 9.6.96. Scenario: We have established a workaround to a problem with invalid SQL server parameters during its installation. An error about invalid SQL server parameters occurred during the installation: "The server was not found or was not accessible. Verify that the instance name is correct, and that SQL Server is configured to allow remote connections. Error 26 - Error Locating Server/Instance Specified". We have found the following information from installation log: Installation log showed the SQL server "CRATER\SQLEXPRESS" was used for the installation: We found that the configuration file "BackendDatabaseConfiguration*.config" which was used for configuring the SQL server was using the server name "CRATER". Solution: If you're sure that "CRATER\SQLEXPRESS" is the real name of the SQL server, replace "CRATER" in the SQL server name by "CRATER\SQLEXPRESS" in the following objects: 1. "X:\%KSE_Folder%\Configuration\BackendDatabaseConfiguration*.config" file. If there are several such files in this folder, do it for all of them. 2. In the system registry "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Server". Parameter is BackendSqlServerName. Start the upgrade again.

In most cases the issue is related to processing downloaded bases on the server drive. Databases are downloaded from our sites successfully, but the problem appears during compiling and copying the downloaded bases locally on the KSE server. Such behavior may be caused by the following: Not configured exclusions for KSE in Kaspersky Security for Windows Server or Kaspersky Endpoint Security. Other utilities (backup, for example), that may interfere with the file processing. Incorrect operation of the delete function on high-speed drives, for example, SSD drives. Solution: 1. Configure Kaspersky Security for Windows Server or Kaspersky Endpoint Security for correct simultaneous work with KSE. Completely exclude the KSE folder, all subfolders and KSE processes from the scan scope: Kavscmesrv.exe Antiphishing.OutprocScanner.exe Antispam.OutprocScanner.exe Antivirus.OutprocScanner.exe Kse.Ksn.exe Kse.Licensing.exe Kse.Updater.exe 2. Set the startup type of KSE service to manual. 3. Stop the KSE service. 4. If issue is related to corrupted AS bases, delete all contents from the folders: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\as\bases C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\ap\bases C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\ap\cache If issue is related to corrupted AV bases, delete all contents from the folders: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\av\bases C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\av\cache If issue is related to corrupted AS and AV bases, delete all contents from the all folders: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\as\bases C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\ap\bases C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\ap\cache C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\av\bases C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\av\cache 5. Set the startup type of KSE service back to automatic/ automatic (Delayed Start), as it was before adjustment at step 2. 6. Start the KSE service. 7. Update anti-spam or/and anti-virus bases manually through KSE Management Console. 8. If the issue persists, contact Kaspersky Support.

Вы самолично наблюдали за процессом связывания? Решили уже путем смены драйвера в настройках. По крайней мере, так гласит инструкция. С чего они должны что-то делать еще - неясно.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This article is about Kaspersky Endpoint Security for Windows (KES for Windows) This informational message does not mean that Self-Defense accuses any process of being under malware attack, it proactively blocks certain operations that could pose a potential threat to processes. The number of events depends on the activity of applications that inhabit the system, especially from their periodic activities, polls on a timer, on emerging events, and so on. The event in the reports is informational - it can be simply disabled it in the settings. It's not expected to react to these events. More specifically, it's usually the update programs and VMWare services try to access application processes. The update programs want to restart all processes when the update is finished so that they don't have to reboot the system. But KES doesn't allow them to restart our processes. The applications causing these events: Microsoft Edge Update Google Installer Windows installer VMware Authorization Service Host Process for Windows Services Client Server Runtime Process It is normal for such a request to fail, and this should not be a concern. These events can be turned off in active KES policy: General settings→Interface→Notifications: informational messages→Self-Defense restricted access to the protected resource.

If you want to store FDE encryption keys in Active Directory, this is possible if BitLocker encryption is used. In order to transfer and store the recovery passwords (keys) in Active Directory, it is necessary to: 1. Enable the “Choose how BitLocker-protected operating system drives can be recovered” group policy https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-rec1 for target computers and configure saving BitLocker recovery information to Active Directory Domain Services there. Here is the target policy in the gpedit.msc snap-in on the computer where encryption is planned to be enabled: 2. Install ‘BitLocker Recovery Password Viewer’ feature on the computer with the AD DS Domain Service running: This functionality does not apply to Kaspersky products by design, but in theory it can be used in parallel with MS BitLocker Drive Encryption technology deployed by means of KES BitLocker management (i.e. through Kaspersky product). In this case, after encryption starts the recovery data will be transferred and stored both in AD and on the KSC server. We highly do not recommend applying any settings via the BitLocker (GPO) policies (the recommended configuration is "Not configured" for all policies located in the [Computer configuration / Administrative Templates / Windows Components / BitLocker Drive Encryption] node and below), because they can prevent from deploying bitlocker related settings through Kaspersky product policy. It will lead to an error in applying BitLocker Drive Encryption ‘Encrypt all hard drives’ policy and the inability to encrypt the disk as a result.

Completely exclude the KSE folder with all its subfolders and all KSE processes from the scan scope: Kavscmesrv.exe Antiphishing.OutprocScanner.exe Antispam.OutprocScanner.exe Antivirus.OutprocScanner.exe Kse.Ksn.exe Kse.Licensing.exe Kse.Updater.exe

To check Block action: Specify Block actions for all rules in the group Activity of script engines and frameworks. Extract files from the archive and start the scripts. All scripts should be blocked, popup about it should be shown. There will be new records about blockings in the local report, events and AAC report in KSC console. To check Smart action: Host where KES is installed is under the policy applied. Specify Smart mode for all rules in the group Activity of script engines and frameworks. Extract files from the archive and start any script. Open KSC → Advanced → Repositories → Triggering of rules in Smart Training State. Check that new record is shown there. There will be no info about this detection in local report, KSC reports or in the events. After two weeks, if there are no new detections for this rule, the rule will automatically change to Smart Blocking mode. If this rule is detected again, the learning period will be extended.

Issue Sometimes Device Control errors in KES may occur. For example, hard drives are wrongly blocked when USB device blocking is enabled, or flash drive blocking is not happening although the policies require to do so. In some cases, the reason for erroneous blocking is that the operating system (OS) is incorrectly identifying the device type. Solution As an example, if the policies prohibit access to flash drives, but this rule does not always work, you can check the following: Go to Device manager and check the Removal policy parameter. The parameter value must be 2 or 3 if the OS has correctly detected the flash drive. If the parameter value is any other value other than 2 or 3, then the OS considers the attached device to be non-removable. Based on this data, KES decides to allow access to the device and not block it, and then informs the user. Below we have added all the possible values and their descriptions which the Removal policy parameter can have: Removal policy 00000001 - ExpectNoRemoval (cannot be extracted at all) Removal policy 00000002 - ExpectOrderlyRemoval Removal policy 00000003 – ExpectSurpriseRemoval Conclusion If the flash drive is not blocked by KES and the removal policy parameter has a value other than 2 or 3, it means that the OS has detected the drive incorrectly. Thus, this is not a bug in the Kaspersky app.

How to check if KES is installed, its state (running or not) and bases version via registry: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\Components\34\1103\1.0.0.0\Statistics\AVState More information about these registry keys is available in Online Help: https://support.kaspersky.com/ksc14/3644. Obtaining information from the registry is for familiarization purposes only. KESCLI commands method supported by developers: Managing the application from the command line  >  KESCLI commands  >  GetRealTimeProtectionState. File Threat Protection status https://support.kaspersky.com/help/KESWin/12.2/en-US/213719.htm Managing the application from the command line  >  KESCLI commands  >  GetDefinitionState. Determining the update completion time https://support.kaspersky.com/help/KESWin/12.2/en-US/213724.htm Information in following registry is created by network agent (NA). Information will be deleted before OS shutdown and will be created after OS boot. There is a delay (120s) for NA service start. So if you need to get the state of KES immediately after OS boot, use KESCLI.

This only applies to KSC 14.2 and below Problem Remote installation tasks finishes with uninformative errors: Setup process error: Unknown error. (126) Setup process error: Unknown error. (2) Solution 1. Create 3rd party installation package (Create installation package -> Create an installation package for the specified executable file.) 2. Specify executable file, for example script.sh 3. Locate this package folder in KSC storage, by default %ProgramData%\KasperskyLab\adminkit\1093\.working\share\Packages\(package_name) 4. Edit .\(package_name)\executable_package.kpd: remove exec\ from Executable path, add DontWrap=1 option. Setup section should read the following: executable_package.kpd [Setup] Executable=script.sh DontWrap=1 Params= 5. Edit .\(package_name)\exec\executable_package.kpd: remove exec\ from Executable path, add DontWrap=1 option. Setup section should read the following: exec\executable_package.kpd [Setup] Executable=script.sh DontWrap=1 Params= 6. Copy .\(package_name)\exec\script.sh to .\(package_name)\script.sh 7. Check that in package Settings, "Executable file" changed from exec\script.sh to script.sh 8. Use this package in "install application remotely" task

What is the default synchronization period between KEA and CN? Sync period (which is every X minutes) for KEA is configurable in KEA policy. Default synchronization period is 300 sec (5 min). The same period applies to LENA. What is the isolation workflow? In KATA CN creates task for host isolation. KEA receives an 'isolate' command from the Central Node during synchronization . An agent turns on host isolation with exclusions configured in KEA policy. At the next sync time (after X minutes) the agent sends the results of isolation to the Central Node . When isolation is turned on isolated host connected to the Central Node, you can view the telemetry from this host and execute other tasks. Is it OK that isolation takes up to 10 minutes? Yes, see previous two sentences for explanation. It takes up to 5 minutes to sync a task with the host when default settings are applied. To sync the status back to CN we need another 5 minutes. What will happen if the IOC scan didn't finish within Maximum scan duration. Will it resume next time or it will terminate? IOC scan task starts as scheduled and then terminates upon reaching the Maximum scan duration even if it hasn'tt finished yet. The next scheduled time the scan task starts from the beginning. How to determine whether the specified time is enough to complete the scan? Experimentally. The default scan is a full scan, are there any options to set a custom scan? IOC scan task is not configurable in KATA, thus there is no way to set a custom scan.

This works an all KATA CN versions from 3.6.1 to 5.1 You can execute the queries below with Curl to get the text representation of agent status. SSO login and password must be used, limit of 200 entries is used in the example query. JSONs with agent status curl -s --output /dev/null -c ./cookie -k -X POST -H 'Content-Type: application/json' -d '{"username":"SSO","password":"MYPASSWORD","local":false}' https://KATACN:8443/apt/api/userLogin && curl -s -b ./cookie -k -X POST -H 'Content-Type: application/json' -H 'Referer: https://KATACN:8443/katap/' -d '{"limit":200,"offset":0}' https://KATACN:8443/apt/api/hostsAgentActivity | python -m json.tool This query can be customized further to get lists of hostnames, IPs etc: List of unique agents hostnames curl -s --output /dev/null -c ./cookie -k -X POST -H 'Content-Type: application/json' -d '{"username":"SSO","password":"MYPASSWORD","local":false}' https://KATACN:8443/apt/api/userLogin && curl -s -b ./cookie -k -X POST -H 'Content-Type: application/json' -H 'Referer: https://KATACN:8443/katap/' -d '{"limit":200,"offset":0}' https://KATACN:8443/apt/api/hostsAgentActivity | python -m json.tool | grep hostname | awk -F\" '{print $4}' | sort | uniq List of unique agents hostnames curl -s --output /dev/null -c ./cookie -k -X POST -H 'Content-Type: application/json' -d '{"username":"SSO","password":"MYPASSWORD","local":false}' https://KATACN:8443/apt/api/userLogin && curl -s -b ./cookie -k -X POST -H 'Content-Type: application/json' -H 'Referer: https://KATACN:8443/katap/' -d '{"limit":200,"offset":0}' https://KATACN:8443/apt/api/hostsAgentActivity | python -m json.tool | grep \"ip\" | awk -F\" '{print $4}' | sort -n | uniq

Так они с Касперский связывались насчет прояснения ситуации и со стороны Касперский тишина. Adguard думаю решит эту проблему, но вот другая проблема может быть - удалит ли Касперский в будущем данное предупреждение со своей стороны. Здесь ответы позднее появились. Я на той неделе в ТП писал.

Problem Sometimes Anti-Cryptor task in KESL won't be able to launch after the OS is started. This may happen because Anti-Cryptor needs all the protected network resources to be up before KESL service is started. In other words, Samba or NFS services should be started before KESL service. Solution To resolve this problem you need to make sure that services start in the correct order. For Systemd systems: 1. Create a file /etc/systemd/system/kesl.service.d/override.conf # touch /etc/systemd/system/kesl.service.d/override.conf 2. Add the following to /etc/systemd/system/kesl.service.d/override.conf: [Unit] After=nfs-server.service smb.service [Service] TimeoutSec=300 3. Reload services # systemctl daemon-reload For Sys V init systems: Rename Samba and NFS init files to make those services start earlier. E.g. # mv /etc/rc3.d/<smb_init_file> /etc/rc3.d/S49smb # mv /etc/rc3.d/<nfs_init_file> /etc/rc3.d/S49<nfs_init_file> Where <smb_init_file> and <nfs_init_file> stand for current init files present in the system. NFS init file may have different name depending on your environment - nfs, nfs3 or nfs-server.

Scenario You're using a firewall that is using SSL interception. All required ports were opened as per http://support.kaspersky.com/13326 . On the corporate network, activation fails with "error 6". Off the network, activation is successful. Solution The reason this might not work is that your SSL-intercepting firewall (3rd party) might be attempting to check the validity of the SSL certificate that protects Kaspersky's activation server (activation-v2.kaspersky.com, TCP port 443). In particular, the firewall might be trying to check whether the certificate is revoked. Checking a certificate's status can be done through an older protocol called CRL or a newer protocol called OCSP. The fix is to configure firewall to not perform SSL interception relating to TCP port 443 of activate.activation-v2.kaspersky.com.

Officially exclusions from protection against external encryption are written on this page https://support.kaspersky.com/KSVLA/5.2/en-US/175626.htm Starting from 07/06/2022 it is possible to add exclusions from protection against external encryption using "Exclusions" tab under "Exclusions and trusted applications" settings. Steps: Go to "Exclusions and trusted applications" settings and move to "Exclusions" tab Add folder/filename (masks are supported) specifying SystemWatcher application component. Apply the policy The tested exclusions: <Drive>:\<Folder>\ <Drive>:\<Folder>\*.enc <Drive>:\<Folder>\*\*.enc Example:

Windows Unpack the archive (add_category.rar) on any device that has access to the Administration Console port of the Administration Server. Create a text file with needed hashes, by default the script expects it to be sha256.txt in script's working directory. Edit add_category.cmd with specified KSC username, password, server address, name of the text file with hashes (file should be saved in UTF-8 encoding) If a category with the specified name already exists, it keeps unique SHA256 hashes in the category. List of arguments: /Server Server address, 127.0.0.1 by default /User Username, current user by default /Pass Password /File Path to the file with hashes, input.txt by default. File should be saved in UTF-8 /Category Category name, New custom category by default Linux/macOS/Windows custom_script_add_category.zip - OpenApi python script. To use it the customer should install Python 3.12 or newer and additional libraries - urllib3, keyring, KlAkOAPI https://support.kaspersky.com/ksclinux/14.2/en-US/211453.htm -ksc_user - this parameter should be specified in internal KSC user is used to login to KSC. -category - name of the category -expressions_type - defines the array of the rules - "inclusions" or "exclusions" -file - name of the file with hashes. -full_replace - with this parameter specified all existing condtions will be overwritten ( by default script adds new conditions to the category without overwriting existing conditions)

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Scenario: When login to KSC Web Console, it shows the following error: Administration Server uses an untrusted self-signed certificate. Please modify the application configuration by specifying a valid certificate for Administration Server. Alternative wording (for older KSC versions): Administration Server has untrusted self signed certificate. Please, reconfigure the application with correct certificate for Administration Server. Reason: KSC certificate is set when Web Console is installing. If there are any changes/errors with the certificate after the installation, KSC Web Console will show this error, e.g. you installed Web Console with KSC together, then restore a KSC backup. Solution and Source: Change certificate in KSC. Specifying certificates for trusted Administration Servers - guide on specifying a new certificate

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. You're using KSC as WSUS server and moving the Windows Update folder to another drive so it won't occupy space on the C drive. However, when you're downloading Windows updates to KSC, the “C:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer” folder is increasing its size up to 15.5 GB. Solution Here is the procedure: Make a backup copy of KSC. Stop KSC service Copy folder “C:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer” to its new location, for example “E:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer” Rename old FTServer folder, for example “C:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer_old” Create a symbolic link for FTServer folder that points to new FTServer folder location using this command (run in elevated command prompt, replace link target with path to your new FTServer folder location): mklink /D “C:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer” “E:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer” Start KSC service.

This info applies to KSC12-14.2. Web Console port can be changed from default port 8080 to 443 or any other port not occupied by the operating system or a third-party application. 1. Open file "C:\Program Files\Kaspersky Lab\Kaspersky Security Center Web Console\server\config.json" with any text editor and type the port you would like to use instead of 8080: 2. Restart all Kaspersky Security Center Web Console services via services.msc to apply changes.