All Activity

Problem When you install Kaspersky Security for Mobile on Android from Kaspersky Endpoint Security Cloud using the link sent via Send instructions, an error "Installation package not found" may appear. This happens when the Operating System installed on the device is not recognized. Solution Remove KESM from the affected device. Open KES Cloud & browse to Users. Find the User with the device that cannot synchronize with KES Cloud. Send instructions to this User. User will get an email with new link. Download KESM via link from KES Cloud invitation email. If the installation fails install it from an application store (Galaxy Store, Huawei AppGallery, RuStore, or Xiaomi GetApps) or from Kaspersky website https://www.kaspersky.com/small-to-medium-business-security/downloads/endpoint When KESM will request server address, open the KES Cloud email then copy the whole link from the email and paste it to the Server field. Important Input KES Cloud address from the email when KESM will request a server address for the first time The copied link must look like: https://sXXX.cloud.kaspersky.com:8080/getPackage?vServerName=d8axxxxxxx0d7d2&packageID=CxxxczMzOC5jbG91ZC5rXXXXXXYUYYYYYYYYYFpbD1ZbTkxY21kdmRTNTZhV1ZrUUxxxxxU52YlE Provide all necessary permissions. Try to synchronize the device with KES Cloud.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This article is about Kaspersky Endpoint Security for Windows (KES for Windows) Problem When KES installation fails with error message "Failed to access local group policy. Error 0x80004005", installation log should be checked. If it contains something similar, follow the steps below. MSI (s) (F4:94) [11:27:28:103]: Invoking remote custom action. DLL: C:\WINDOWS\Installer\MSI9735.tmp, Entrypoint: DisableWindowsDefender DisableWindowsDefender: Entering DisableWindowsDefender in C:\Windows\syswow64\MsiExec.exe, version 5.0.15063.0 DisableWindowsDefender: Failed to access local group policy. Error 0x80004005. DisableWindowsDefender: DisableWindowsDefender: finished. Return value 1603. CustomAction DisableWindowsDefender returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox) Action ended 11:27:28: InstallExecute. Return value 3. According to the log, something is preventing KES from disabling Windows Defender. The KES installer calls the MS API function OpenLocalMachineGPO(GPO_OPEN_LOAD_REGISTRY) https://msdn.microsoft.com/en-us/library/aa374275(v=vs.85).aspx, which returns an error. This problem is not related to KES, therefore only workarounds can be suggested. Most likely, the problem is related to Group Policy and is on the Microsoft Windows side. Solution Move the affected computer under default AD policy, then try to install KES once again. In case it will not help Here are some additional ways to solve the problem. No guarantee that they will work, and no responsibility for the effect, as they are not related to KL products. registry.pol related issues Delete C:\Windows\System32\GroupPolicy\Machine\registry.pol Restart the SMS Agent Host service to force ConfigMgr to reload the policies. Sometimes it is also necessary to reinstall the ConfigMgr client. gpt.ini related issues Replace C:\Windows\System32\GroupPolicy\gpt.ini with a copy from an unaffected computer.

Description and cautions The original scenario located on the page https://support.kaspersky.com/kes11mac/diagnostics/15299, requires a lot of efforts and manual manipulations. I am offering a bit easier and time-saving approach doing the same. Details All the commands from the original document are saved here, but placed together and being run one after another consequently; the old product logs are also wiped up in order to avoid mess: Login under root: sudo -i Enable KESMac KLnagent tracing: rm -rf /Library/Logs/Kaspersky\ Lab/* /Library/Logs/klnagent_trace.log && launchctl unload /Library/LaunchDaemons/com.kaspersky.klnagent.plist && cat /Library/LaunchDaemons/com.kaspersky.klnagent.plist > /Library/LaunchDaemons/com.kaspersky.klnagent.plist.backup && chmod ugo+w /Library/LaunchDaemons/com.kaspersky.klnagent.plist && curl -o klnagent_enabled_traces.zip -J -L https://media.kaspersky.com/utilities/CorporateUtilities/klnagent_enabled_traces.zip && unzip klnagent_enabled_traces.zip && cat klnagent_enabled_traces.plist > /Library/LaunchDaemons/com.kaspersky.klnagent.plist && chmod ugo-w /Library/LaunchDaemons/com.kaspersky.klnagent.plist && launchctl load /Library/LaunchDaemons/com.kaspersky.klnagent.plist Now you can check the log is being written: ls -lh /Library/Logs/klnagent_trace.log In case you need to enable KESMac tracing, refer to the specially dedicated article https://support.kaspersky.com/kes11mac/diagnostics/15041; It is time to reproduce the issue; When it is done, disable KESMac KLnagent tracing the same manner (ensure, you are still under root: sudo -i): launchctl unload /Library/LaunchDaemons/com.kaspersky.klnagent.plist && chmod ugo+w /Library/LaunchDaemons/com.kaspersky.klnagent.plist && cat /Library/LaunchDaemons/com.kaspersky.klnagent.plist.backup > /Library/LaunchDaemons/com.kaspersky.klnagent.plist && chmod ugo-w /Library/LaunchDaemons/com.kaspersky.klnagent.plist && launchctl load /Library/LaunchDaemons/com.kaspersky.klnagent.plist Upon finish, gather the collect package (https://support.kaspersky.com/collect) curl -o collect.tar.gz -L "https://box.kaspersky.com/f/00a1a6d8beb24554a72d/?dl=1" && tar -zxvf collect.tar.gz && chmod +x collect.sh && sudo ./collect.sh

As stressed in the product documentation, Sandbox, which is deployed as a Virtual Machine, should have an exact sizing, violation of which may lead to various issues. The only parameter that can be varied is a CPU clock rate. Common mistake The most notable mistake regarding scaling up VM sandboxes is an attempt to make one huge Sandbox VM with two to four times the required RAM/CPU as dedicated resources. Correct approach is to create a respective number of additional VMs and distribute these resources between them. For example, if you want to double the performance of a KATA Sandbox VM instead of adding 15 more CPU cores and 32 more gigabytes of RAM to an existing Sandbox, you need to deploy a new Sandbox VM with the following resources: CPU: 15 cores, 2.1 GHz or higher RAM: 32 GB HDD volume: 300 GB Two network adapters with 1 Gbit/s data transfer rate Virtual machine settings: Only VMware ESXi hypervisor is fully supported. Nested virtualization is enabled Supported VMware ESXi versions 6.5, 6.7U3 or 7.0 hypervisor. Entire CPU clock rate reserved. For a minimum CPU clock this means 12*2100=25200 MHz reserved. For a clock rate higher than 2.21Hz, use the following formula to calculate the entire CPU clock rate: 12 * <clock rate in MHz>. Entire RAM reserved (32 GB). Expose hardware assisted virtualization to the guest OS check box selected. Latency Sensitivity option set to High. No Secure Boot. The maximum number of simultaneously running virtual machines set to 12. Please note, these cannot be checked from a debug report or from inside of the VM, as these settings are configured in a hypervisor. Checking VMX file Obtain a .vmx file of the respective sandbox VM. Demo video showing how to locate a .vmx file. Note, that in this video the goal is to modify the .vmx, and we only need to access it for reading, therefore, there is no need to unregister a VM from inventory as done in video. All the following lines in .vmx file must match exactly with the following two exceptions: For sched.cpu.min, the value can be higher than 25200, see formula above. Line uefi.secureBoot.enabled might be absent, which is OK. Correct .vmx settings numvcpus = "15" sched.cpu.units = "mhz" sched.cpu.min = "26400" memSize = "32768" sched.mem.min = "32768" vhv.enable = "TRUE" sched.cpu.latencySensitivity = "high" uefi.secureBoot.enabled = "FALSE" ethernet0.present = "TRUE" ethernet1.present = "TRUE" Checking number of slots In the Sandbox web interface window, select the Administration section. In the Guest virtual machines group of settings, in the Maximum simultaneous VMs field, number of simultaneously running virtual machines must equal 12.

Symptoms OS hang, sometimes with open file errors in journals Customer application degrades with errors "unable to open file", "too many open files" Hangs and third-party (compatibility) issues often require advanced data collection and are sophisticated to investigate. However, a quick check is possible: On a system where KESL has worked for some time (not immediately after reboot/restart), validate the output of the following command, ran as root, for numerous records of /usr/bin or /usr/sbin folders lsof | grep -E 'kesl.+DIR.+\/usr\/s?bin' Root Cause Under heavy load, KESL may display linear increase in file descriptors usage (sysctl - fs.file-nr) up to system-wide limit (sysctl - fs.file-max) and eventually degradation. Workaround Schedule restart of KESL service every week/day, depending on intensity of descriptors growth. NB: KESL restart will also reset progress of certain tasks like "malware scan" and "database update". Schedule KESL restart outside of tasks timeframes. Solution This issue was fixed in KESL 12.1.0.1274, so an update to that or newer version should fix it.

Problem Error Failed to get IP addresses for connecting to SVM appears during SVM deployment. Solution To troubleshoot this problem, you need to follow our step-by-step guide: I. Disable SVM rollback Go to C:\Program Files (x86)\Kaspersky Lab\Kaspersky VIIS Console\ for KSV LA 5.1 or to C:\Program Files (x86)\Kaspersky Lab\Kaspersky VIISLA Console for KSV LA 5.2 Edit the Kaspersky.VIISConsole.UI.exe.config file Uncomment <!--<add key="disableRollback" value="1" />--> (delete <!-- and-->) Save changes II. Enable VIIS traces Go to C:\Program Files (x86)\Kaspersky Lab\Kaspersky VIIS\ for KSV LA 5.1 or to C:\Program Files (x86)\Kaspersky Lab\Kaspersky VIISLA for KSV LA 5.2 Open NLog.config file in a text editor Find the line <logger name="*" minlevel="Info" writeTo="file"/> and change minlevel value from Info to Trace Save changes III. Enable extended logging of deployment wizard Go to C:\Program Files (x86)\Kaspersky Lab\Kaspersky VIIS Console\ for KSV LA 5.1 or to C:\Program Files (x86)\Kaspersky Lab\Kaspersky VIISLA Console for KSV LA 5.2 Open NLog.config file in a text editor Find the line <logger name="Kaspersky.Virtualization*" minlevel="Info" writeTo="DeployWizardLog" final="true"/> and change minlevel value from Info to Trace for KSV LA 5.1 and <logger name="DeployWizardFileLogger" minlevel="trace" writeTo="DeployWizardLog" final="true"/> and change minlevel value from off to Trace for KSV LA 5.2 Save changes IV. Start troubleshooting Start SVM deploying wizard and don’t forget to enable option Allow remote access via SSH for root account. Wait for the error and then, make sure that deployment wizard skipped rollback step. Disable all traces returning to the previous values. Connect to SVM directly, using hypervisor. Login to SVM OS under the root account, using default password 7czWtTKhCgrvEYBHb3rE This password can be applied only during troubleshooting process with disabling SVM rollback and it wouldn't work with normally deployed SVMs. Use command ifconfig to check if the SVM received network adapter settings, specified at the beginning of installation. Try to establish connection by SSH from KSC (where VIIS installed) to the SVM. If SSH connection fails, then there are no issues with Kaspersky product. You should configure the environment according to our system requirements. Especially, at the side of ports accessibility. Configuring ports used by the application If the SSH connection established successfully, please collect the following data and send it to Kaspersky Support: Data to be collected Screenshot of network settings that has been applied to the SVM VIIS log from - C:\ProgramData\Kaspersky Lab\VIIS\logs for LA 5.1 and C:\ProgramData\Kaspersky Lab\VIISLA\logs\ for LA 5.2 Deployment wizard detailed log from - C:\Users\<Account>\AppData\Local\Kaspersky_Lab\ViisConsole for LA 5.1 and C:\Users\<Account>\AppData\Local\Kaspersky Lab\Kaspersky VIISLA Console\logs\ for LA 5.2 /var/log/ – from SVM /var/opt/– from SVM

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. You need a Mac device with macOS 14+ to supervise iOS device log via Apple Configurator Your iOS device will be reset to factory settings during supervising Download Apple configurator via App Store. Run Apple Configurator. Connect your iOS device. Unlock the device and tap Trust. Select your device and click on the Prepare button Select 'Manual Configuration'. Check 'Supervise devices' and 'Allow devices to pair with other computers' (if you want to allow it). Click on the Next button. Leave it on "Do not enroll in MDM" and click on the Next button Click on the Skip button Enter information about your organization (only 'Name' filed is mandatory'). Click on the Next button. Select 'Generate a new supervision identity'. Click on the Next button. In the next window you should choose which steps will be presented to the user in Setup Assistant. You can choose 'Show all steps', 'Do not show any of these steps' and 'Show only some' steps - in this options you must select the steps. Click on Prepare button. Enter password for your macOS account Click on Erase button. Your device will be reset to factory settings. Wait while your device will be prepared When your device will be turned on, you should see that your device is supervised and managed by your organization in device settings Now you can install iOS MDM profile to this device and apply iOS MDM policy with options for supervised devices.

Description Error looks like this: You can't download trace log. But there is free space on the disk: Cause You will see this error if free disk space less than 10G. KWTS is not in sizing 200 GB of hard drive space, which includes: 25 GB for temporary file storage 25 GB for log file storage How to solve a problem Bring disk sizing to minimum hardware requirements

Description After generating a trace log and then attempting to download it via the KWTS 6.1 web interface, it fails with an error if the trace log is more than 1GB (one gigabyte). The error is duplicated on different devices in different browsers: Mozilla, Chrome, Edge. In Mozilla, the download stops with "Failed to download file" Chrome goes into an endless download attempt, the download is interrupted at 1GB, after which the speed drops to 0kb/s and the download starts all over again. How to solve To resolve the problem with downloading a large trace log, follow this procedure: 1) Connect to the Kaspersky Web Traffic Security node via SSH to access the technical support mode. If SSH access has not been previously configured, you must first log into the web interface as a local administrator and configure access by uploading the SSH public key. 2) Go to the /etc/nginx/conf.d directory, make a backup copy of the kwts_webapi.conf and kwts_controlapi.conf files if you have not done so before: cd /etc/nginx/conf.d cp -p kwts_webapi.conf kwts_webapi.conf.backup cp -p kwts_controlapi.conf kwts_controlapi.conf.backup 3) Open the /etc/nginx/conf.d/kwts_webapi.conf file for editing and add the line marked below in green to the location /web/api block: location /web/api { ... uwsgi_max_temp_file_size 0; include uwsgi_params; ... } 4) Open the /etc/nginx/conf.d/kwts_controlapi.conf file for editing and add the line marked below in green to the location /ctl/v1 block: location /ctl/v1 { ... uwsgi_max_temp_file_size 0; include uwsgi_params; } 5) Restart nginx using the command systemctl restart nginx 6) Check the status of the nginx service, it should be running. systemctl status nginx The described steps must be repeated on each node of the Kaspersky Web Traffic Security cluster. After completing the procedure, restart your web browser and reconnect to the Kaspersky Web Traffic Security 6.1 web interface.

To create a Certificate Signing Request file using the openssl utility: 1. Prepare a file named sandbox.config with the following contents: [req] default_bits=2048 prompt=no default_md=sha256 req_extensions=req_ext distinguished_name=dn [dn] C=AE ST=North L=Dubai O=ABC LAB OU=IT Security emailAddress=security@abc.lab CN=katasb.abc.lab [req_ext] subjectAltName=@alt_names [alt_names] DNS.1=katasb.abc.lab 2. Create a private RSA key with the PEM extension (without a passphrase): #openssl genrsa -out sandbox.key 2048 3. Create a Certificate Signing Request using the following command: #openssl req -new -sha256 -key sandbox.key -out sandbox.csr -config sandbox.config 4. Generate the certificate (as Web Server certificate) from Internal CA in Base 64 encoded and copy the certificate and key to the KATA SB Server Note: you might need to allow the connection using WinSCP (https://forum.kaspersky.com/topic/how-to-copy-files-tofrom-kata-katakedre-37146/ section 1.2). Access your internal CA from Domain Controller using https://dc.abc.lab/certsrv and follow the instructions as below screenshots. 5. To convert the DER encoded PKCS#7 file, use the following command: #openssl x509 -inform PEM -in sandbox.cer -out sandbox.crt 6. On the Sandbox server in SSH mode, Create a backup of original files both the private key and the certificate with same rights as it was before. #cp -p /etc/nginx/ssl/server.crt /etc/nginx/ssl/server.crt.orig #cp -p /etc/nginx/ssl/server.key /etc/nginx/ssl/server.key.orig 7. Replace the original files with your files #cat my_cert.crt > /etc/nginx/ssl/server.crt #cat my_cert.key > /etc/nginx/ssl/server.key 8. Rights and owner of the files should be same #ll /etc/nginx/ssl -rw-r----- 1 root klusers 2008 Feb 8 15:51 server.crt -rw------- 1 root root 1732 Feb 8 15:51 server.key 9. If the rights are different for the new files, then use the below command to change the rights and ownership #chmod 640 server.crt #chown root:klusers server.crt #chmod 600 server.key #chown root:root server.key 10. Restart nginx service #systemctl restart nginx.service 11. Open the KATA SB Web UI using the hostname and verify the certificate.

Descriptrion You can see an issue like this: You can also find log entries like this in diagnostic_info\logs\var\log\kwts-traces.log Line 1538367: Jan 11 18:12:33 kwts2 KWTS Licenser[1154]: 1241 INF httpcli#011Req 0x7fecd003b9d0 CURL: Could not resolve host: activate.activation-v2.kaspersky.com Line 1538460: Jan 11 18:12:33 kwts2 KWTS EventLogger[1062]: 1102 DBG APP: void lms::event_logger::LoggerHelperProcFrontend::SendCommand(const lms::event_logger::HelperProcCommand&, const string&)message is: license error: Could not resolve host Or like this Line 4667143: Nov 18 16:02:12 32-vs-kwts02 KWTS Licenser[1675]: 35735 DBG APP: virtual result_t lms::licenser::utils::RequestCompleteEvent::OnRequestComplete(licensing::facade::product::ILicensing*, licensing::facade::product::activation_action::Type, const ActivationCode&, result_t, licensing::facade::product::IActivationContent*) actionType = 0, activationCode = AW65R-BZ8CG-KBQ18-ANNZ2, result = 0xa0430005 Line 4667349: Nov 18 16:02:12 32-vs-kwts02 KWTS EventLogger[1552]: 1592 DBG APP: void lms::event_logger::Journalist::Write(const lms::event_logger::JournalRecord&) JournalRecordData(dateTime.dt: 133132501328539280, type: 9, person: kluser, result: 1, description: license error: Could not resolve host, details: { "name": "LicenseErrorEvent", "data": {#012 "reason": -1608777683#012} }) How to solve a problem It means that the problematic node could not resolve activation service. Check an access to activation services from the problematic node curl -v https://activation-v2.kaspersky.com/ --cacert activation-v2.kaspersky.crt And if there is no success connection, open an access to https://activation-v2.kaspersky.com https://activation-v2.kaspersky.com/ActivationService/ActivationService.svc And check a page with configuring network access - https://support.kaspersky.com/KWTS/6.1/en-US/189764.htm

Да, наверное. Ну и в главном окне продукта висит. В ветке репорта проблеме выставлен приоритет 4 (самый низкий), и вообще она закрыта для обсуждения. Так что ничего тут такого особенного разрабы AG не видят. Это больше пользователи возмущаются.)

Description You can face an issue like this on Events page in KWTS: Sometimes the search on the Events page works correctly. Sometimes not.. If you collect har-file (HOW TO) from Events page with reproduced issue you will see an error also in it: Also you can find an error in diagnostic_info\logs\var\log\kaspersky\kwts\extra\webapi.log: celery.backends.base.SoftTimeLimitExceeded: SoftTimeLimitExceeded(True,) Then you should check Maximum event log size (https://support.kaspersky.com/KWTS/6.1/en-US/174773.htm) in settings here: diagnostic_info\klinfo\worker_settings.xml Maximum event log size set to 10 GB. How to solve a problem You should set it to 9 GB. The KWTS architecture is not designed for a large event database size.

Don't forget to install 6.0.1 and 6.0.2 patch, which fixes some bugs in ICAP integration. Description and cautions Since we have new ICAP working modes, presented in KATA 6.0 - https://support.kaspersky.ru/KATA/6.0/en-US/247269.htm , we would like to show you, how to configure such integration on example of squid proxy server. Added ICAP integration with feedback. ICAP integration with feedback can work in two modes: Standard scan. In standard scan mode, the object is scanned by all supported technologies. While being scanned by the Sandbox component, the object remains available. If a threat is detected, the object is blocked. Advanced scan. In the advanced scan mode, objects are scanned by all supported technologies. While being scanned by the Sandbox component, the object is not available. If a threat is detected, the object is blocked. Details Reminder - this is just an example, but working one:) Squid configuration part Assuming you already have squid installed with default configuration (of course, yours could be different according to your infrastructure), add following lines in the end of /etc/squid/squid.conf (surely, change the IP address to yours) icap_enable on adaptation_send_username on adaptation_send_client_ip on icap_service kata_req reqmod_precache icap://10.68.56.219:1344/av/reqmod icap_service kata_resp respmod_precache icap://10.68.56.219:1344/av/respmod adaptation_access kata_req allow all adaptation_access kata_resp allow all icap_service_failure_limit -1 The only thing we changed here as well is at the start of squid.conf - source subnet, in order to adapt server to our Lab # # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.68.56.0/23 We also recommend to add these lines below as well, so you would be able to analyze ICAP logs logformat icap_squid %tl %6tr %rm %ru %rp %6icap::tr %>a %icap::to/%03icap::Hs %icap::rm %icap::ru %un %icap::<A %icap::<st %icap::>st %icap::<bs %icap::>h %icap::<h %icap::tr %icap::tio icap_log /var/log/squid/icap.log icap_squid ICAP logs are located at /var/log/squid/icap.log and look like So the whole picture should look like this Testing part If standard scan mode is enabled, let's check on KATA side, how it looks like in /var/log/kaspersky/services/preprocessor_icap/preprocessor_icap.log grep --color 'blocking_simple mode' | grep 'verdict' In this example we can see that from URL file was scanned with verdict: clean (whitelist) 09:41:46.697 INF 137781 server/source/file_handler_respmod.cpp:435 [sid: 0x0000004d] RESPMOD: Finish processing file in blocking_simple mode (request url: 'r3.o.lencr.org', size: 503, filename: 'baf664a8a7841e1d057f5ab0da58bcf0', uuid: 5cc2d18781924f98b6e4961494125616, md5: baf664a8a7841e1d057f5ab0da58bcf0, format: GeneralBin), processing time: 0.147ms, verdict: clean (whitelist) File from URL with verdict: clean (cached) 09:40:14.476 INF 137778 server/source/file_handler_respmod.cpp:435 [sid: 0x0000004a] RESPMOD: Finish processing file in blocking_simple mode (request url: 'detectportal.firefox.com/success.txt?ipv6', size: 8, filename: 'success.txt', uuid: 25f155a67eff4a4a90b33dbbb4f3367c, md5: ae780585f49b94ce1444eb7d28906123, format: GeneralTxt), processing time: 0.124ms, verdict: clean (cached) URL with verdict: good (KSN) 09:42:37.334 INF 137780 server/source/file_handler_reqmod.cpp:187 [sid: 0x0000004c] REQMOD: Finish processing url in blocking_simple mode ('box.kaspersky.com'), processing time: 3ms, verdict: good (KSN) File from URL verdict: clean (scanned) 09:35:14.691 INF 137770 server/source/file_handler_respmod.cpp:435 [sid: 0x00000042] RESPMOD: Finish processing file in blocking_simple mode (request url: 'detectportal.firefox.com/success.txt?ipv4', size: 8, filename: 'success.txt', uuid: 4c87c81cf3d543ceb6694d917329d2b8, md5: ae780585f49b94ce1444eb7d28906123, format: GeneralTxt), processing time: 124.894ms, verdict: clean (scanned) URL with verdict: bad (KSN) 10:05:18.354 INF 137802 server/source/file_handler_reqmod.cpp:187 [sid: 0x00000062] REQMOD: Finish processing url in blocking_simple mode ('kaspersky.com/test/wmuf'), processing time: 146ms, verdict: bad (KSN) If advanced scan mode is enabled, let's check on KATA side, how it looks like in /var/log/kaspersky/services/preprocessor_icap/preprocessor_icap.log grep --color 'blocking_advanced mode' | grep 'verdict' Picture is pretty the same, but from browser side you will see that object is blocked/inaccessible 10:54:01.341 INF 139635 server/source/file_handler_reqmod.cpp:187 [sid: 0x0000000e] REQMOD: Finish processing url in blocking_advanced mode ('bug.qainfo.ru/test_cloud/wmuf'), processing time: 27ms, verdict: bad (KSN) 10:54:20.467 INF 139635 server/source/file_handler_reqmod.cpp:187 [sid: 0x0000000e] REQMOD: Finish processing url in blocking_advanced mode ('secure.eicar.org:443'), processing time: 0ms, verdict: good (KSN) 10:50:45.303 INF 139632 server/source/file_handler_respmod.cpp:435 [sid: 0x0000000b] RESPMOD: Finish processing file in blocking_advanced mode (request url: 'ocsp2.globalsign.com/gsorganizationvalsha2g3', size: 1461, filename: 'gsorganizationvalsha2g3', uuid: f88dd52252da4fdf8aaabc3aafdbdb0a, md5: 9a3ec48893b2952f013e03311b878e18, format: GeneralBin), processing time: 0.346ms, verdict: clean (whitelist) During tests at KATA web UI you should see activity on ICAP dashboard and under Security office we can see two alerts, generated after our tests (10.68.56.227 is squid IP address) In real world, of course, you will see other detects as well, for instance, on infected objects and malicious URLs.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem You change the account of the administration server service via the klsrvswch tool. Note that this is the only way to change the account, manual modification (for example, via services.msc) is not supported. Then, the you run the Install required updates and fix vulnerabilities task. As a result, the task is cancelled and updates are not installed. Diagnostics The following error can be found in $klserver-1093.log: 20.11.2023 10:26:16.683 00000ADC.000028C0 L4 KLSTD: Error 0x5 accessing the file 'C:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer\#WSUS#', m_dwWin32Access=0x80000000, m_dwWin32Creation=0x3, m_dwWin32Flags=0x8000000 20.11.2023 10:26:16.683 00000ADC.000028C0 L1 KLSTD: Error ERROR_ACCESS_DENIED (attempt 186 from 300) for the file 'C:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer\#WSUS#' When checking permissions of the file C:\ProgramData\KasperskyLab\adminkit\1093\.working\FTServer\#WSUS#, it lacks the new service account assigned to the kladminserver service: In this example, the Administration Server account is the old service account used to start the KSC service. Workaround Add the new KSC Service account or the KLAdmins group to the access control list of the #WSUS# file and grant it full access:

Versions Applicable to versions above 5: 5.0, 5.1, 6.0, 6.0.1, etc. You can fancy access log-history logs (former apt-history) directly for convenience purposes or if the kata-collect-siem-logs tool is malfunctioning for some reason. These logs are in gzip, sorted by dates, as files with names in format: /data/volumes/s3proxy/log-history/YYYY-MM-DD-HH-MM-SS, where YYYY-MM-DD-HH-MM-SS is the datetime. basename -a /data/volumes/s3proxy/log-history/2024* 2024-01-01-13-55-03 2024-01-17-12-00-14 2024-01-17-12-05-14 To access these logs, use the respective zless; zgrep; zcat tools. For example: zcat /data/volumes/s3proxy/log-history/2024-01-17-12-05-14 2024-01-17 12:00:59.924639 info apt-history: New IDS alert: {id: 63, importance: High, hidden: False, rule_id: 51310592, excluded rule: False, src: 18.156.136.240:80, dest: 10.63.100.252:2198, bases_version: 202401170033} Bonus: you can also use these tools to read rotated logs of kataservices in /var/log/kaspersky/services/: zgrep "FileNotFoundError" /var/log/kaspersky/services/web_backend/web_backend.log.1

Versions Applicable to versions later than 5.0, 5.1, 6.0, 6.0.1, etc. Problem There are several cases where the standard method of changing interface network settings via the Web UI is not available, e.g. the Web UI is inaccessible. Solution Become root, save the nodes settings: sudo su console-settings-updater get /deploy/deployment_api/nodes | python3 -m json.tool > /tmp/nodes Open the saved file for editing: vim /tmp/nodes Locate the desired network_settings, ifaces node, change the values tat you need to change: { "cc2cx0fltsjmxolid99p5loen": { "id": 1, "hostname": "1.srv.node1.node.dyn.kata", ... "network_settings": { "ifaces": [ { "iface_name": "ens160", "configuration_type": "static", "span": false, "address": "10.68.56.215", "netmask": "255.255.254.0", "gateway": "10.68.56.1", "mac": "00:50:56:a5:39:f6" }, { "iface_name": "ens192", "configuration_type": "static", "address": "100.100.100.100", "netmask": "255.255.255.0", "gateway": "100.100.100.1", "mac": "00:50:56:a2:5a:f6" } ] } } } Save your changes and exit Vim. Verify that the JSON structure is valid (the command returns no errors): cat /tmp/nodes | python3 -m json.tool Import the modified settings back: console-settings-updater set /deploy/deployment_api/nodes @/tmp/nodes

Description Here's how to install KATA 6.0 Ubuntu edition in KVM environment - https://support.kaspersky.ru/KATA/6.0/en-US/265697.htm In the example below we use RHEL 9.3, installed as VM in VMware Workstation Pro 17.0 Step-by-step guide First, you have to install QEMU/KVM , all steps are described HERE Then install from Software application Virtual Machine Manager, here it's 4.1.0 version. After successful installation just open up Virtual Machine Manager application, and click on the icon "Create a new virtual machine" Assuming, you have KATA Ubuntu ISO locally in OS, choose option below and click "Forward" Click "Browse" and "Forward" Click "Browse Local" Locate KATA Ubuntu ISO and click "Open" Next, do the steps as shown on picture below Click "Yes" Assign resources to VM according to THIS article (ignore our settings below, it's just a demo) and click "Forward" Configure a disk (ignore our settings below, it's just a demo) and click "Forward" Name your VM, select a network and click "Finish" Now you should see installation window, proceed like you usually do with standard KATA installation on VMware In this window select ONLY "single", cause KVM supports only this type of installation Select a disk and click "OK" Wait a bit and you should see that installation starts, and now you just have to wait for next step of installation/configuration Now select subnets (usually use default ones) by pressing Enter Choose network > assign IP (static or dhcp, in our example we use dhcp) > set password length and password itself > configure DNS servers Choose if you want capture traffic via SPAN (y or n) > configure NTP servers That's it, KATA installed Now you can login to web UI and configure server, in our example IP of server is 192.168.122.47, let's login to https://192.168.122.47:8443 and voila "Configure" and wait for completion

Scenario: KATA/EDR CN is integrated with the KPSN server, and you want to enrich the KPSN reputation database with the detections from the sandbox server. You can integrate a KATA Platform Central node with the KPSN reputation database and automatically populate it with information about the files that the sandbox technology finds to be dangerous and highly important. Pre-requisites: To configure sending checksums of the files detected by the sandbox technology to KPSN, you will need a certificate of a KPSN user account entitled to use KPSN API. Download the certificate (both parts, public and private) of a KPSN user who has permission to use KPSN API from the user’s profile in the KPSN web console. The KPSN administrator has the required permissions, but a pair of encryption keys of any user allowed to access the KPSN API will do as well. and key from the user’s profile from the KPSN web interface. You can provide the API access to the required user from KPSN Web UI → Users → and the API option should be enabled under permissions. To send the sandbox detections to KPSN: In the central node administrator’s console, open Settings | KPSN reputation database and specify: HOST – IP address of the KPSN server where the local KPSN reputation database is stored; TLS Certificate – a certificate for the user authentication in KPSN; TLS encryption key – private encryption key; There are two or more servers with different roles in a typical KPSN installation. A KPSN server can have several roles. Specify the IP address of the KPSN server that has the Monitoring Service role. In the Central node console of a senior security office, open Settings | KPSN reputation database and select the checkbox to Assign the ‘Untrusted’ status to objects. You can upload the test file to the KATA Central node for scanning, once the file is detected by Sandbox component, the checksum of the detected file will be published in the KPSN local reputation database. The KPSN administrator can manually create records in the KPSN reputation database. A record added by KATA/EDR has the KATA tag in the description. You cannot delete the KATA records, but you can disable them. Below screenshot display the samples hashes added in the KPSN Reputation database from the KATA server.

Description and cautions One may need to change the admin account's password (the account used for SSH login). KATA 5.0 For KATA 5.0 this article is not applicable. No option to change Local Administrator/ Cluster Administrator in pseudo-graphic menu available by default in 5.0 See https://forum.kaspersky.com/topic/how-to-reset-kata-web-administrator-password-in-kata-50-katakedre-36844/ Details In case of standalone Central node: Login to the web-interface of the CN. Enter admin credentials (used for SSH login). Go to admin account > change password as per below In case of Distributed deployment (PCN and SCN): Login to the web-interface of PCN. Enter admin credentials (used for SSH login). Go to admin account -> change password Login to SCN via SSH and change using the pseudographic menu ("Change cluster admin password..." option)

The KESMac 12 and the KESMac 11.3 patch C allows adding particular processes into the trusted section named Trusted Applications. The both filesystem and network activity of which can be ignored by the product increasing performance. Please, however, note that this could be potentially risky. https://support.kaspersky.com/KESMac/11.3_adminguide/en-US/194142.htm Problem This article will describe a few ways to configure KES for Mac to exclude some of the software from the scope of the product. Solution Trusted applications In order to have an ability to exсlude an application from scanning with KES, a function of Trusted Applications available in Kaspersky Endpoint Security for Mac can be used: The Trusted applications section as seen in the policy creation wizard. Naturally, it can be configured later by modifying the policy. Update the plugin to at least version 11.3.0.33 to get the new functionality. In some specific cases it might be required to put several binaries to Trusted Applications simultaneously in order to take effect. So, a final solution might include several path-based exclusions accompanied by a few BundleID-based ones. Trusted Applications are only available for configuration via KSC policy; i.e. it is currently impossible to add application to exclusions having no KSC installed. Additionally, an appropriate application control plug-in for KESMac must be downloaded and installed on the KSC prior to using Trusted Application functionality. It can be found on the corresponding download page. Common exclusions for developers It's suggested excluding the following paths: "/Library/Developer/CommandLineTools" and "/Library/Toolchains" for the standard developers' utilities, as well as the "/Applications/Xcode.app/*" for the XCode. At the same time, in case you use alternative tools, contact Kaspersky Support to get the exact paths for further exclusions. Excluding TCP 443 from port monitoring Additionally, in case of HTTPS-connectivity issues, unchecking port 443 in Monitored ports may also help:

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem Description, Symptoms & Impact KES File Threat Protection sometimes can't check Microsoft office documents from mounted Google Drive shares, therefore generating Processing error events. This issue is caused by an incompatibility between Google Drive VFS driver and KES. There are no plans on making KES compatible with Google Drive. Workaround & Solution As a workaround, add files with Office extensions stored on the share to exclusions, this shouldn't lower protection, because Office creates a temporary copy of a document when it is opened, which will not be in the exclusion scope and will still be checked. Example for .xlsx files: Path\to\google\drive\folder\*.xlsx, where Path\to\google\drive\folder is replaced with an actual path.

This article will help you to check EDRO component correct installation and integration. What you need to know about EDRO 1 EDRO working with KES 11.7+, KSWS 11.0.1 and KSV LA 5.2 (Windows only), so called EPP https://support.kaspersky.com/KEDR_Optimum/2.3/en-US/216855.htm 2 You must use NWC for EDRO 3 You can't use only KEA for EDRO scenario. It always integrates with EPP. How to check that EDRO component installed correctly First of all you need to check whether KEA component was installed or not. And if it's installed then was it integrated with EPP. KES Starting with KES 11.7 EDRO agent is integrated in the KES. First of all, check component status in MMC or NWC MMC NWC If you see Not supported by license, pay attention to the version. If you see 0.0.0.0 or N/A, it means that component is not installed. Not supported by license doesn't mean that there is no license for EDRO, it may mean that component is not installed on the host. When component is installed but not activated, you'll see installed component version: MMC NWC If component was installed and was not activated, it will look like this in the KES GUI: If component is not installed, then there will be no Detection and Response section in the KES GUI (in case MDR is installed, then there will be section Detection and Response, but there will be no Endpoint Detection and Response Optimum like you see above). How to check EDRO license in the KES UI You can check license components in the KES GUI. If there is no Optimum word, license do not support EDRO. For example: And there's an example when license key supports EDRO: KSWS During KSWS installation you must enable Endpoint Agent, even if KEA was already installed on the host. KSWS detects it and enables connector with existing KEA (KEA will not be reinstalled). This is how correctly installed KSWS + KES looks like in the MMC: And if it not installed: KSV LA There is no change components task. You can change them only during the upgrade or installation. Reinstallation requires reboot. During installation you need to choose Custom installation and enable integration with KEA Remember that you can enable integration in the installation package properties in the KSC. How to check NWC setup for EDRO What to do if there is no Alerts section in the NWC. How it looks If there is no Alerts section in the WEB UI Go to the settings: And enable EDR alerts: In the KSC NWC there will be EDRO plugin by default. It installs with the console. So the only way to reinstall it - reinstall NWC. How detection looks without installed EDRO component If you see detection but without enriched information, you'll see it like this: In the Enrichment and response section you'll see only Basic. It means where was a detection but no additional information about it was collected. Main reason why this may happen is that there's no EDRO component on the host.

Step-by-step guide You need a Mac device to collect iOS device log via Apple Configurator. Download Apple configurator via App Store. Run Apple Configurator. Connect your iOS device. Unlock the device and tap Trust. Open the iOS device → Console. Reproduce the issue. Save the log in Apple configurator. Try to save the log as soon as possible after you reproduce the issue, because the log is constantly being overwritten. Send the collected log file to Kaspersky support for further analysis.

Problem Description, Symptoms & Impact Sometimes an error might occur when installing KSE: KseCheckServicePortIsFreeActionStep has completed with an error: Service network port 13100 is occupied by another application… Diagnostics Screenshot or KSEInfoCollector. Make sure that port 13100 is open and not used by any application, and repeat the installation. This can be done using the command below. You will see a chart with a process ID (PID column) next to the address and port: netstat -aon | findstr 13100 You can then find this process by the ID in Task Manager or using the command below. Use the process ID you found in the previous command instead of the %PID% below: tasklist /fi "pid eq %PID%" Example tasklist /fi "pid eq 18060" Workaround & Solution There's no way to change the port used by KSE. So, the only option here is to free the port used by an application and repeat the installation. Sometimes ISS or W3WP.exe might be using the port. In some cases, this port is occupied after the Exchange updates, and the port should be released after the server restart. RCA Some application is using the port 13100.