All Activity

Problem No option to change Local Administrator/Cluster Administrator in pseudo-graphic menu available by default . Solution a) Upgrade to 5.1 b) Follow steps: Download an archive with WHL packets. Upload it to KATA CN to /tmp/change_password.zip Extract (we have no unzip shipped by default): echo -e "import zipfile\nwith zipfile.ZipFile('/tmp/change_password.zip', 'r') as z:\n z.extractall('/tmp/')" | python3 Become root: sudo su Confirm this is a right node: docker ps | grep kedr_database_server Install installer patch: installer-1.0-py3-none-any.whl pip3 install --ignore-installed --no-deps /tmp/installer-1.0-py3-none-any.whl Install docker_utils patch: docker_utils-1.0-py3-none-any.whl pip3 install --ignore-installed --no-deps /tmp/docker_utils-1.0-py3-none-any.whl Restrict changing password to root: which kata-web-admin-change-password | xargs chmod 754 Change password by running: kata-web-admin-change-password Enter new password in the prompt, no confirmations or validation will be given Selecting the correct node Script must be executed on a node with kedr_database_server container, by default it is the processing one installed first, node2 in cluster. In case it is executed on a wrong node, a hint will be given which is a right one.

Description and cautions You may experience low time to live value set in ICMP network packets sent by klnagents. The following can be seen in wire shark traffic dump: Explanation: There are two modes of distribution point search: 0 - search of the nearest DP using a tool similar to traceroute. It generates a number of ICMP packets to find out the neatest route to DP - this is the default mode. 1 - selection of random DP without sending such amount of ICMP packets. This mode is configured on administration server computer via klcsflag utility and is enabled for all managed hosts. The following command should be started as administrator on KSC Server computer to switch to mode 1: klscflag.exe -fset -pv klserver -n SrvChooseUaMode -v 1 -t d Restart of kladminserver service is required to apply changes. The distribution point will be randomly selected among all DPs available.

Description and cautions KSN connection error on KATA web may appear. Details It could be fixed unless you don't have permanent KSN errors, you have to check it in ksn_proxy.log DEBUG level. Key word is ErrCount. If you don't see Errcount: 0 in log, then you don't have access to our KSN servers which are: *.ksn.kaspersky-labs.com ksn-*.kaspersky-labs.com ds.kaspersky.com 2. In order to fix this web error do as below For KATA 4.0/4.1 Under root at CN execute: apt-settings-manager set --merge /configuration/preprocessor '{"ksn": {"non_dl_formats": ["GeneralHtml", "GeneralTxt", "ExecutableJs", "ImageGif", "ImageJpeg", "ImagePng", "ArchiveCab"], "request_threads": 4, "timeout": "PT1.5S"}}' * PT1.5S means 1,5 seconds, don't increase it more Then let's increase "errors_increase_threshold": 100 (actually you have to check ksn_proxy debug log in order to understand how much KSN connection errors you have and adjust this parameter accordingly) apt-settings-manager set --merge /configuration/monitoring_prometheus '{"ksn_proxy": {"errors_increase_threshold": 100, "errors_window_period": "10m", "scraping_alert_for_interval": "1m", "scraping_evaluation_interval": "30s"}}' If this helps, then make this change persistent: vim /etc/opt/kaspersky/apt-swarm/swarm_config.json "ksn": { "non_dl_formats": [ Numbered list "GeneralHtml", "GeneralTxt", "ExecutableJs", "ImageGif", "ImageJpeg", "ImagePng", "ArchiveCab" ], "request_threads": 4, "timeout": "PT0.5S" <<<<< set 1.5S Find "ksn_proxy": { "errors_increase_threshold": 2, <<<<< set 100 "errors_window_period": "10m", "scraping_alert_for_interval": "1m", "scraping_evaluation_interval": "30s" For KATA 5.+/6.+ Use one line: console-settings-updater set --merge /kata/configuration/product/monitoring_prometheus '{"alert_settings": {"ksn_proxy": {"errors_increase_threshold": 100}}}' if value 100 doesn't help you may increase it to 150-200. Or use long way: Under root at CN execute console-settings-updater get /kata/configuration/product/monitoring_prometheus | python3 -m json.tool > /tmp/monitoring_prometheus Make changes in /tmp/monitoring_prometheus (via vim or nano) by finding following block "ksn_proxy": { "errors_increase_threshold": 100, <<<<<< put here value 100 instead of default 2 Save file (ESC:wq!) Put changes back to container console-settings-updater set /kata/configuration/product/monitoring_prometheus @/tmp/monitoring_prometheus If value 100 doesn't help you may increase it to 150-200.

Problem: Create Group On Demand Scan Task of Windows Kaspersky Light Agent 5.2/Linux Kaspersky Light Agent 5.2 Launch Group On Demand Scan Task Group On Demand Scan Task of Windows Kaspersky Light Agent 5.2/Linux Kaspersky Light Agent 5.2 might detect infected object, but might not delete it. Solution: Delete created Group On Demand Scan Task of Windows Kaspersky Light Agent 5.2/Linux Kaspersky Light Agent 5.2 Delete all created Windows Kaspersky Light Agent 5.2/Linux Kaspersky Light Agent 5.2 Policies Add registry key on Kaspersky Administration Server 5_2_ksc_win_x86_fix.reg if Kaspersky Administration Server is installed on x86 operation system 5_2_ksc_win_x64_fix.reg if Kaspersky Administration Server is installed on x64 operation system Create Windows Kaspersky Light Agent 5.2/Linux Kaspersky Light Agent 5.2 Policies anew. Create Group On Demand Scan Task of Windows Kaspersky Light Agent 5.2/Linux Kaspersky Light Agent 5.2 Launch Group On Demand Scan Task of Windows Kaspersky Light Agent 5.2/Linux Kaspersky Light Agent 5.2

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem You may use images with installed KEA that are distributed to multiple devices, or some hardware vendors (ACER) do not comply with standards and sell hardware with non-unique BIOS IDs, etc. As a result, a telemetry from different agents may end up merged into a single record. Symptoms Certain hostnames are present in KATA alerts, but search returns 0 events. Moreover, such hostnames are not present in the agent list. If looked up by an IP in the database/logs, UUID is found to be non-unique or belonging to other host. The same UUID is found in KEA logs from different machines. There is UUID 03000200-0400-0500-0006-000700080009 in the logs. There is UUID 6ab5b300-538d-1014-9fb5-b0684d007b53 in the logs. There is UUID 0bea76da-28ca-4e13-9715-361a8bbf3bc8 in the logs. Solution for KEA Run the new script on the affected machine to reset the UUID. Solution for KES with built-in Endpoint Agent Download this script, unpack it. Please check the KES version inside of it and change if needed. Turn off self-defence feature of KES, and run the script. After that please restart KES and UUID should be changed (if restarting the KES does not work then please reboot the machine). For 32-bit system use this 32-bit script. Solution for KESL with built-in Endpoint Agent uuidgen > /var/opt/kaspersky/epagent/install_id uuidgen > /var/opt/kaspersky/kesl/common/pcid systemctl restart kesl Solution for LENA Remove LENA from the host rm /var/opt/kaspersky/kesl/common/install_id Reinstall LENA

KATA Sandbox provides instruments to manage SB images, ISO files, and VM Slots number via CLI. For details, see below. Slots Sometimes, it is convenient to change a slot number via CLI. To do so, become a root user and run: /opt/kaspersky/sandbox/bin/sandbox-slots-setup <number of slots> Change slots number via CLI # /opt/kaspersky/sandbox/bin/sandbox-slots-setup 12 Images ISOs can be managed using the sb-vm-iso tool. # sb-vm-iso Usage: --list-iso --state [<iso-name>] --install <iso-name> --check-install <iso-name> --remove <iso-name> --add <iso-path> # sb-vm-iso --list-iso {"iso": ["sandbox-images-centos7_x64-1.0.0.19888.x86_64.iso", "sandbox-images-win10_x64-1.1.0.18829-vl.x86_64.iso"]} VMs VM management is done using the sb-vms tool. # sb-vms Usage: --list-vms --list-non-activated --activate <vm_id> '[{"id": "<component-id>", "key": "<component-key>"} ]' --apply-all --reset --remove <vm_id> # sb-vms --list-vms {"vms": [{"id": "CentOS7_x64-1.0.0.19888", "name": "CentOS7_x64-1.0.0.19888", "status": "installed", "description": ""}, {"id": "Win10_x64-1.1.0.18829", "name": "Win10_x64-1.1.0.18829", "status": "installed", "description": ""}]} VMs removal using sb-vms tool VMs removal Counterintuitively, using IDs obtained by "sb-vms --list-vms" for "sb-vms --remove" doesn't work. Obtain the IDs from kata_scanner etcd on Central node instead of using apt-settings-manager: KATA 4.1 # apt-settings-manager get /configuration/kata_scanner | python -m json.tool | grep images -A5 "images": [ "CentOS7_x64", "Win7_x64", "Win10_x64", "WinXP" ], To remove images one by one: KATA 4.1 SB # sb-vms --remove CentOS7_x64 # sb-vms --remove WinXP # sb-vms --remove Win7_x64 # sb-vms --remove Win10_x64 Same principle for 5+/6+: obtain the IDs from kata_scanner etcd on Central node using console-settings-updater : KATA 5+/6+ # console-settings-updater get /kata/configuration/product/kata_scanner | python3 -m json.tool | grep images -A6 "images": [ "Astra_x64", "CentOS7_x64", "Win7_x64", "Win10_x64", "WinXP" ], To remove images one by one: KATA 5+/6+ SB # sb-vms --remove Astra_x64 # sb-vms --remove CentOS7_x64 # sb-vms --remove WinXP # sb-vms --remove Win7_x64 # sb-vms --remove Win10_x64

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Consider the following scenario: You have a large local area network 10.36.0.0/16. There is a managed device with the following IP config: IPv4 address: 10.36.35.10 and Subnet Mask: 255.255.255.0. You create a new subnet condition for klnagent connection profile: 10.36.0.0/16. Actual result: The connection profile is not applied to the managed device. The reason of this behavior is equality logic used by klnagent. It verifies if the condition matches by comparing the current value of the IP address and subnet mask of a managed device: IP address 10.36.35.10 is within the 10.36.0.0/16 network. However, subnet mask 255.255.255.0 is not equal to 255.255.0.0 specified in the condition. Solution: In order for the rule to work correctly, each 10.36.0.0/24 subnet (including 10.36.35.0/24) of the larger 10.36.0.0/16 network should be added as a condition:

Problem Description While installing KES for Windows via KSC installation package the following error appears and interferes with installation. Possible causes: KES components installed already before installation. Required driver files were not found. Workaround & Solution Use kavremover and reinstall KES with the latest patch. In case kavremover will not help, please collect procmon and KES installation logs, actual GSI with event logs and submit the case to the Kaspersky support.

The best practice is to back up your current Administration Server and then install the new version of Kaspersky Security Center. To do so, follow these steps: Back up the data of Kaspersky Security Center using one of the methods described below: Backup and Restore Wizard Backup task Check if you can install Kaspersky Security Center on your current server. For system requirements, see Online Help. Then export the list of currently installed plug-ins in the .csv format. Download the latest version of Kaspersky Security Center. Install Kaspersky Security Center. For instructions, see Online Help. If needed, you can restore the Administration Server data. For details, see Online Help. Important notes Make a note of the password configured during the backup process. Install Kaspersky Security Center on a new server if your current database server is not supported. Then restore the database data. Restoration works between database servers of the same type. If you use an SQL Server as a DBMS, you can migrate data to MySQL or MariaDB DBMS before the upgrade. For details, see Online Help. It is possible to restore data from the SQL Express database to the SQL Standard database, but the restoration of data from the SQL Standard database to the SQL Express database is supported with limitations. For further details, please check this Online Help page.

Description and cautions That article is describing KSC rel. 13.2 to rel. 14.x SW upgrade procedure. Prerequisites KSC 13.2 on MS Windows S/N Action Online-Help 1 Download the KSC 14 Version 2 Take the backup of KSC Administration Server 3 Take the backup of the KSC Database 4 Export Policies (NA, KES) and encryption keys 5 Run cmd as administrator -> On the active node, go to <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center -> klfoc -stopcluster --stp klfoc https://support.kaspersky.com/KSC/14/en-US/222447.htm 5.1 Check if all kaspersky security services were stopped on both nodes 6 Install KSC 14 on Primary Node Run the ksc_14_<build number>_full_<language>.exe file https://support.kaspersky.com/KSC/14/en-US/235429.htm 6.1 If the name of the load balancer matches with the name of the first node, then the upgrade process may "freeze" and will be finished after several of network connection timeouts. EventsProcessorProxy: #1281 Failed to establish connection with the remote device (location: 'http://kscnode01.demo.lab:13000'): connection has failed. 6.2 Perform the same steps on the passive node. Run the ksc_14_<build number>_full_<language>.exe file https://support.kaspersky.com/KSC/14/en-US/235429.htm 7 Run cmd as administrator -> On the active node, go to <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center. -> klfoc -startcluster --stp klfoc https://support.kaspersky.com/KSC/14/en-US/222447.htm 8 Connect to the administration server 9 Restart Passive Node or start klfoc service. 10 Make sure and verify that the machines and policies are available in the console

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. The article is giving a working configuration instructions for domain authentication by using NTLM and Kerberos protocols. NOTE: Domain authentication in OpenAPI over Kerberos protocol has the following restrictions: Administration Server address must be specified exactly as the address for which the Service Principal Name (SPN) is registered for domain account name. In the domain, you need to set the Service Principal Name (SPN) to publish the OpenAPI service on port 13299 for the machine with the Administration Server, the service of which is running under the name of the domain user <domain-user>. Kaspersky Security Center 13 Web Console user must be authenticated in Active Directory by using Kerberos protocol. Kerberos authentication should be allowed in web-browser. For details, refer to documentation of used web-browser. Details SPN - Service Principal Name Log in Domain Controller as Domain administrator. Open powershell as admin and run the following commands: Powershell setspn.exe -A HTTP/hostname-node-1.domain.local -u domain\user-ksc-service setspn.exe -A HTTP/hostname-node-2.domain.local -u domain\user-ksc-service Example setspn.exe -A HTTP/kscw-node-1.sales.lab -u sales\ksc setspn.exe -A HTTP/kscw-node-2.sales.lab -u sales\ksc setspn.exe -L -u sales\ksc #command for check spn records #Response Registered ServicePrincipalNames for CN=KSC Service,CN=Users,DC=sales,DC=lab: HTTP/kscw-node-1.sales.lab HTTP/kscw-node-2.sales.lab Enable Kerberos/NTLM authentication in web browsers Microsoft Edge \ Internet Explorer win + r => inetcpl.cpl Activate the Security tab. Select Local intranet and click Sites. In the opened dialog box click Advanced. Add the host name of Adaxes Web interface (e.g. host.company.com). Click Close and then click OK. Click Custom level. Navigate to Scripting and enable Active scripting. Navigate to User Authentication \ Logon. Select Automatic logon only in Intranet zone and click OK. Activate the Advanced tab. In the Settings list, navigate to the Security section. Select Enable Integrated Windows Authentication and click OK. Mozilla Firefox - https://developer.mozilla.org/en-US/docs/Mozilla/Integrated_authentication Launch Mozilla Firefox In the URL window, enter about:config and press Enter. In the filter text box, enter network.negotiate. Double-click the network.negotiate-auth.trusted-uris option and enter the host name of Adaxes Web interface (e.g. host.company.com). Repeat previous step for the network.negotiate-auth.delegation-uris option. Google Chrome Add the Software\Policies\Google\Chrome\AuthServerWhitelist key equal to *.<domain-name>.local to the registry Add the Software\Policies\Google\Chrome\AuthNegotiateDelegateWhitelist key equal to *.<domain-name>.local to the registry

Description and cautions The article shares working examples of using KSC API calls for one of the available scenarios - retrieving tasks results and statistics data for Dashboards and Reports. For the Windows version of cURL, you need to specify that the arguments need to be escaped with "\", otherwise there will be an error. For example: 'Authorization: KSCBasic user=\"YXBpLXVzZXI=\", pass=\"cGFzc3dvcmQ=\", internal=\"1\"' Details Prerequisites internal user: api-user Examples KSC address - 127.0.0.1 (the address can also be external) API Port - 13299 (default) User: api-user (intrental KSC user), base64: YXBpLXVzZXI= Password: password, base64: cGFzc3dvcmQ= Credentials: User Password api-user password Base64: YXBpLXVzZXI= cGFzc3dvcmQ= Authentication, type: Authenticated session, other types: KSC Open API description All requests are in cUrl format, as an alternative it is also possible to use Python library (KlAkOAPI Python package) Login Start connection to KSC (Session::StartSession) : Session::StartSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.StartSession' \ --header 'Authorization: KSCBasic user="YXBpLXVzZXI=", pass="cGFzc3dvcmQ=", internal="1"' Username and password should be encoded to base64 format as part of a secure HTTPS session. For expamle https://www.base64encode.org/ can be used for encoding. Response { "PxgRetVal": "nsPbUpP1oAVZlM1lODEbg8A==" } Policies changes alert \ Critical task status Audit events available Create event processing iterator with filter (EventProcessingFactory::CreateEventProcessing2) : EventProcessingFactory::CreateEventProcessing2) curl --location --request POST 'https://localhost:13299/api/v1.0/EventProcessingFactory.CreateEventProcessing2' --header 'X-KSC-Session: nT0T9KvkIKlgHGGaZ60j38Q==' --header 'Content-Type: application/json' --data-raw '{ "pFilter": { "EVP_INCL_GNRL_EVENTS": true, "EVP_INCL_TASK_STATES": false, "EVP_MAX_EVENTS_COUNT": 3000, "KLEVP_EVENT_GNRL_TYPES_ARRAY": [ "KLAUD_EV_SERVERCONNECT", "KLAUD_EV_OBJECTMODIFY", "KLAUD_EV_TASK_STATE_CHANGED", "KLAUD_EV_ADMGROUP_CHANGED", "KLAUD_EV_SERVERDISCONNECT", "KLAUD_EV_OBJECTPROPMODIFIED", "KLAUD_EV_OBJECTACLMODIFIED" ], "Name": "Audit events", "PredefinedID": "PREDEFINED_QUERY_ID_AUDIT_EVENTS"}, "vecFieldsToReturn": [ "event_db_id", "rise_time", "hostname", "hostdn", "event_type", "event_type_display_name", "GNRL_EA_DESCRIPTION", "group_id", "group_name", "product_name", "product_version", "product_displ_version", "GNRL_EA_SEVERITY", "GNRL_EA_PARAM_1", "GNRL_EA_PARAM_8", "task_display_name", "registration_time", "KLVSRV_DN", "KLEVP_EVENT_GROUP_TASK_ID", "GNRL_EA_PARAM_3" ], "vecFieldsToOrder": [], "lifetimeSec": 1000 }' Response ID Response {"strIteratorId":"A07B69A5347CF435DB66C0FA826371FF"} Get result from Response data ( ReportManager::GetStatisticsData) : EventProcessing::GetRecordRange curl --location --request POST 'https://localhost:13299/api/v1.0/EventProcessing.GetRecordRange' --header 'X-KSC-Session: nT0T9KvkIKlgHGGaZ60j38Q==' --header 'Content-Type: application/json' --data-raw '{ "strIteratorId":"A07B69A5347CF435DB66C0FA826371FF", "nStart": 0, "nEnd": 100 }' Response statistics dashboard: Response {"pParamsEvents":{"KLEVP_EVENT_RANGE_ARRAY" ..... Detection of threats: Create event processing iterator with filter (EventProcessingFactory::CreateEventProcessing2) : EventProcessingFactory::CreateEventProcessing2) curl --location --request POST 'https://localhost:13299/api/v1.0/EventProcessingFactory.CreateEventProcessing2' --header 'X-KSC-Session: n/euPaWcHBCk5Oz76XFLsSg==' --header 'Content-Type: application/json' --data-raw '{ "pFilter": { "KLEVP_EVENT_TYPE": "GNRL_EV_VIRUS_FOUND"}, "vecFieldsToReturn": [ "event_db_id", "rise_time", "hostname", "hostdn", "event_type", "event_type_display_name", "GNRL_EA_DESCRIPTION", "group_id", "group_name", "product_name", "product_version", "product_displ_version", "GNRL_EA_SEVERITY", "GNRL_EA_PARAM_1", "GNRL_EA_PARAM_8", "task_display_name", "registration_time", "KLVSRV_DN", "KLEVP_EVENT_GROUP_TASK_ID" ], "vecFieldsToOrder": [], "lifetimeSec": 1000 }' Response ID Response {"strIteratorId":"48E14F430EF0058BB039929318693123"} Get result from Response data ( ReportManager::GetStatisticsData) : EventProcessing::GetRecordRange curl --location --request POST 'https://localhost:13299/api/v1.0/EventProcessing.GetRecordRange' --header 'X-KSC-Session: n/euPaWcHBCk5Oz76XFLsSg==' --header 'Content-Type: application/json' --data-raw '{ "strIteratorId": "48E14F430EF0058BB039929318693123", "nStart": 0, "nEnd": 20 }' Response statistics dashboard: Response {"pParamsEvents":{"KLEVP_EVENT_RANGE_ARRAY" ..... Critical task status Status of Critical task: Backup of Administration Server data, Administration Server maintenance, Download updates to the Administration Server repository. for example - Backup of Administration Server data #strTask - open task in nmw-web-console - 148 (for example: https://localhost:8080/#/management/tasks/148) Acquire task execution history events (Tasks::GetTaskHistory) Tasks::GetTaskHistory curl --location --request POST 'https://localhost:13299/api/v1.0/Tasks.GetTaskHistory' --header 'X-KSC-Session: n/Uvfki+u+pAmb8jjMzVBzg==' --header 'Content-Type: application/json' --data-raw '{ "pSortFields": [{"type":"params","value":{"Name":"rise_time","Asc":false}}], "pFields2Return": [ "hostdn", "group_name", "task_new_state", "KLVSRV_DN", "rise_time", "GNRL_EA_DESCRIPTION" ], "strHostName": "KSC", # Hostname Administration Server "pFilter": { "type": "params", "value": {} }, "strTask": "103" # from nmw-web-console }' Response ID Response {"strIteratorId":"2C356F1FA5B5875980950999AD036094"} Get result from Response data ( ReportManager::GetStatisticsData) : EventProcessing::GetRecordRange curl --location --request POST 'https://localhost:13299/api/v1.0/EventProcessing.GetRecordRange' --header 'X-KSC-Session: na2b5M8XFBGHmP+P5+tDYcg==' --header 'Content-Type: application/json' --data-raw '{ "strIteratorId": "2C356F1FA5B5875980950999AD036094", #strIteratorId from response "nStart": 0, "nEnd": 20 }' Response statistics dashboard: Response {"pParamsEvents":{"KLEVP_EVENT_RANGE_ARRAY":[{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:47:57Z"},"task_new_state":1}},{"type":"params","value":{"GNRL_EA_DESCRIPTION":"Invalid destination folder. ","group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:46:03Z"},"task_new_state":3}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:46:03Z"},"task_new_state":1}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:46:02Z"},"task_new_state":32}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:45:58Z"},"task_new_state":32}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-18T11:45:58Z"},"task_new_state":1}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-16T23:04:00Z"},"task_new_state":4}},{"type":"params","value":{"group_name":"Managed devices","hostdn":"KSC","rise_time":{"type":"datetime","value":"2022-01-14T23:04:00Z"},"task_new_state":4}}]}} Information at Reports Enumerates all existing reports. ReportManager.EnumReports curl --location --request POST 'https://localhost:13299/api/v1.0/ReportManager.EnumReports' --header 'X-KSC-Session: nejYJnFLwJgs14KpxeH9UMA==' Response all reports: Response { "PxgRetVal": [ { "type": "params", "value": { "RPT_CREATED": { "type": "datetime", "value": "2021-04-30T12:39:00Z" }, "RPT_DN": "Report on file operations on removable drives", "RPT_EXTRA_DATA": { "type": "params", "value": { "KLRPT_DONT_USE_SPACES_FOR_SLASHES": false, "KLRPT_EXPAND_PERIOD": true, "KLRPT_GLOBAL_SCOPE": false, "KLRPT_OWNER_SRV_INSTANCE": "e71217d1-4a96-462c-a56a-6112bdc5369b", "KLRPT_PROTECTION_INCLUDE_OK": false, "KLRPT_PROTECTION_INCLUDE_VM": true, "KLRPT_PROTECTION_INCLUDE_WARNING": true, "KLRPT_REPORT_ID": 27, #lReportId for next command Execute report ( ReportManager::ExecuteReportAsync) "KLRPT_SLAVE_EXEC_TIMEOUT": 300, "KLRPT_SLAVE_REC_DEPTH": 1, "KLRPT_TEMPORAL": false } }, "RPT_GROUP_ID": 0, "RPT_ID": 27, #lReportId for next command Execute report ( ReportManager::ExecuteReportAsync) "RPT_MODIFIED": { "type": "datetime", "value": "2021-04-30T12:39:00Z" }, "RPT_TYPE": 0 } }, USB Data transfer alert \ Report on file operations on removable drives available Execute report ( ReportManager::ExecuteReportAsync) ReportManager::ExecuteReportAsync curl --location --request POST 'https://localhost:13299/api/v1.0/ReportManager.ExecuteReportAsync' --header 'X-KSC-Session: na2b5M8XFBGHmP+P5+tDYcg==' --header 'Content-Type: application/json' --data-raw '{ "lReportId": 27, "pOptions": { "KLRPT_OUTPUT_FORMAT": { "type": "params", "value": { "KLRPT_TARGET_TYPE": 2 } } } }' Response ID Response {"strRequestId":"e54ff81b-bfe7-46bb-8f60-de1865bce47c"} Check status of the async action (AsyncActionStateChecker::CheckActionState) AsyncActionStateChecker::CheckActionState curl --location --request POST 'https://localhost:13299/api/v1.0/AsyncActionStateChecker.CheckActionState' --header 'X-KSC-Session: na2b5M8XFBGHmP+P5+tDYcg==' --header 'Content-Type: application/json' --data-raw '{"wstrActionGuid":"e54ff81b-bfe7-46bb-8f60-de1865bce47c"}' Response KLRPT_OUTPUT_FILE Response {"bFinalized":true,"bSuccededFinalized":true,"lStateCode":1,"pStateData":{"KLRPT_OUTPUT_FILE":"/KLRT/2f4a6361-ebeb-42d6-b044-03dc30573a83.json","KLRPT_OUTPUT_FORMAT":{"type":"params","value":{"KLRPT_TARGET_TYPE":2}}},"lNextCheckDelay":0} Get Data Get curl --location --request GET 'https://localhost:13299/KLRT/2f4a6361-ebeb-42d6-b044-03dc30573a83.json' --header 'X-KSC-Session: na2b5M8XFBGHmP+P5+tDYcg==' Response with the report data: Response {"data":{"summary":{"heading":"Report on file operations on removable drives","subhead":"Report on file operations on removable drives","description":"This report provides information about file operations performed on removable drives. This report is generated for all groups.", ...... Commands can be used for all reports: Server health status Threat detection details from reports Software Vulnerability details from Report on vulnerabilities etc. information at Dashboard KLRPT_DSH_TYPE - List of statistics dashboards types and attributes KLRPT_DSH_TYPE Diagram Meaning 22 Distribution of anti-virus bases versions on hosts (5 counters: actual, 1 day old, 3-days old, 7-days old, and more than 7 days old). detection of threats - 56 prohibited applications - 42 Most heavily infected devices - 14 Most frequent threats - 18, 19 Threat detection details (Critical, High, Medium) 40 Distribution of hosts with different vulnerability status (critical, high, warning, none). 26 License usage. 8 20 8 - Distribution of anti-virus protection states in time. 20 - Current state of the most anti-virus protection (number of hosts with the status Critical, Warning, and OK). AV Definition Status Send Request to obtain required data( ReportManager::RequestStatisticsData) : ReportManager::RequestStatisticsData curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/ReportManager.RequestStatisticsData' --header 'X-KSC-Session: npczf1aapMkBcNOV9rhVgHA==' --header 'Content-Type: application/json' --data-raw '{ "pRequestParams": { "KLPPT_DASHBOARD": { "type": "params", "value": { "AV-DB-2": { #AV-DB-2 - Same requested unique name (GUID) "type": "params", "value": { "KLRPT_DSH_TYPE": 22, #22 - value from table List of statistics dashboards types and attributes "bIncludeVS": false, "id": 0 } } } } } }' Response ID Response {"strRequestId": "BA357813B44D88306228D8614B081C11"} Get result from Response data operation ( ReportManager::GetStatisticsData) : ReportManager::GetStatisticsData curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/ReportManager.GetStatisticsData' --header 'X-KSC-Session: npczf1aapMkBcNOV9rhVgHA==' --header 'Content-Type: application/json' --data-raw '{"strRequestId": "E71313D620483B40309EA81415C34005"}' #strRequestId from ReportManager.RequestStatisticsData Response statistics dashboard: Response {"pResultData":{"KLPPT_DASHBOARD":{"type":"params","value":{"AV-DB-2":{"type":"params","value":{"KLRPT_DSH_TYPE":22,"bIncludeVS":false,"id":0,"nCount3Days":0,"nCount7Days":4,"nCountActual":1,"nCountDay":0,"nCountOld":1}}}}}} Threat detection details (Critical, High, Medium) Send Request to obtain required data ( ReportManager::RequestStatisticsData) : ReportManager::RequestStatisticsData curl --location --request POST 'https://localhost:13299/api/v1.0/ReportManager.RequestStatisticsData' --header 'X-KSC-Session: nz3Z1sQYVGWmpOcuBbRfjGQ==' --header 'Content-Type: application/json' --data-raw '{ "pRequestParams": { "KLPPT_DASHBOARD": { "type": "params", "value": { "threatsDetection-1": { #GUID "type": "params", "value": { "KLPPT_StatPeriodInSec": 2592000, "KLRPT_DSH_TYPE": 56, "bIncludeVS": false, "id": 0 }}, "prohibitedApps-1": { #GUID "type": "params", "value": { "KLPPT_StatPeriodInSec": 2592000, "KLRPT_DSH_TYPE": 42, "bIncludeVS": false, "id": 0 }}, "infectedDevices-1": { #GUID "type": "params", "value": { "KLPPT_StatPeriodInSec": 2592000, "KLRPT_DSH_TYPE": 14, "bIncludeVS": false, "id": 0 }}, "frequentThreats0": { #GUID "type": "params", "value": { "KLPPT_StatPeriodInSec": 2592000, "KLRPT_DSH_TYPE": 18, "bIncludeVS": false, "id": 0 }}, "frequentThreats1": { #GUID "type": "params", "value": { "KLPPT_StatPeriodInSec": 2592000, "KLRPT_DSH_TYPE": 19, "bIncludeVS": false, "id": 0 }} } } } }' Response ID Response {"strRequestId": "D988500C858EBAE332816C34E5588F7F"} Get result from Response data operation ( ReportManager::GetStatisticsData) : ReportManager:GetStatisticsData curl --location --request POST 'https://localhost:13299/api/v1.0/ReportManager.GetStatisticsData' --header 'X-KSC-Session: nz3Z1sQYVGWmpOcuBbRfjGQ==' --header 'Content-Type: application/json' --data-raw '{"strRequestId": "D988500C858EBAE332816C34E5588F7F"}' Response statistics dashboard: Response {"pResultData":{"KLPPT_DASHBOARD":{"type":"params","value":{"frequentThreats01":{"type":"params","value":{"DSHT_DATA":[{"type":"params","value":{"nCount":28,"wstrName":"EICAR-Test-File"}},{"type":"params","value":{"nCount":28,"wstrName":"UDS:HackTool.Win32.CreDump.cr"}},{"type":"params","value":{"nCount":24,"wstrName":"UDS:Trojan.Win32.Generic"}},{"type":"params","value":{"nCount":19,"wstrName":"HEUR:Trojan-PSW.Win64.Mimikatz.gen"}},{"type":"params","value":{"nCount":15,"wstrName":"Trojan-PSW.Win32.Mimikatz.gen"}},{"type":"params","value":{"nCount":5,"wstrName":"HEUR:Trojan-PSW.Win64.Convagent.gen"}},{"type":"params","value":{"nCount":2,"wstrName":"UDS:Trojan.Win32.Agent.xadwev"}},{"type":"params","value":{"nCount":1,"wstrName":"Trojan.Multi.GenAutorunProc.a"}},{"type":"params","value":{"nCount":1,"wstrName":"http://bug.qainfo.ru/test/wmuf_w/"}}],"KLPPT_StatFinishTime":{"type":"datetime","value":"2022-01-18T16:14:27Z"},"KLPPT_StatPeriodInSec":2592000,"KLPPT_StatStartTime":{"type":"datetime","value":"2021-12-19T16:14:27Z"},"KLRPT_DSH_TYPE":18,"bIncludeVS":false,"id":0}},"frequentThreats12":{"type":"params","value":{"DSHT_DATA":[{"type":"params","value":{"nCount":27,"wstrName":"UDS:HackTool.Win32.CreDump.cr"}},{"type":"params","value":{"nCount":22,"wstrName":"UDS:Trojan.Win32.Generic"}},{"type":"params","value":{"nCount":9,"wstrName":"EICAR-Test-File"}},{"type":"params","value":{"nCount":4,"wstrName":"HEUR:Trojan-PSW.Win64.Mimikatz.gen"}},{"type":"params","value":{"nCount":3,"wstrName":"Trojan-PSW.Win32.Mimikatz.gen"}},{"type":"params","value":{"nCount":1,"wstrName":"HEUR:Trojan-PSW.Win64.Convagent.gen"}}],"KLPPT_StatFinishTime":{"type":"datetime","value":"2022-01-18T16:14:27Z"},"KLPPT_StatPeriodInSec":2592000,"KLPPT_StatStartTime":{"type":"datetime","value":"2021-12-19T16:14:27Z"},"KLRPT_DSH_TYPE":19,"bIncludeVS":false,"id":0}},"infectedDevices-2":{"type":"params","value":{"DSHT_DATA":[{"type":"params","value":{"nCount":114,"wstrInternalName":"1ccdd245-2850-424a-9f63-a35b115cbced","wstrName":"WIN10-KES-EDR"}},{"type":"params","value":{"nCount":7,"wstrInternalName":"3e043993-8332-4e1c-958e-a750cd3d0c7c","wstrName":"KHRAMEEV-WIN10"}},{"type":"params","value":{"nCount":2,"wstrInternalName":"c160e768-ba47-47e7-a905-d7c3d39b74d4","wstrName":"khrameev-ub19"}}],"KLPPT_StatFinishTime":{"type":"datetime","value":"2022-01-18T16:14:27Z"},"KLPPT_StatPeriodInSec":2592000,"KLPPT_StatStartTime":{"type":"datetime","value":"2021-12-19T16:14:27Z"},"KLRPT_DSH_TYPE":14,"bIncludeVS":false,"id":0}},"prohibitedApps-2":{"type":"params","value":{"DSHT_DATA":[],"KLPPT_StatPeriodInSec":2592000,"KLRPT_DSH_TYPE":42,"bIncludeVS":false,"id":0}},"threatsDetection-2":{"type":"params","value":{"DSHT_DATA":[{"type":"params","value":{"nCount":67,"nType":1,"wstrName":"File Threat Protection"}},{"type":"params","value":{"nCount":45,"nType":10,"wstrName":"Scan task"}},{"type":"params","value":{"nCount":9,"nType":3,"wstrName":"Web Threat Protection"}},{"type":"params","value":{"nCount":2,"nType":6,"wstrName":"Host Intrusion Prevention"}}],"KLPPT_StatFinishTime":{"type":"datetime","value":"2022-01-18T16:14:28Z"},"KLPPT_StatPeriodInSec":2592000,"KLPPT_StatStartTime":{"type":"datetime","value":"2021-12-19T16:14:28Z"},"KLRPT_DSH_TYPE":56,"bIncludeVS":false,"id":0}}}}} End Session to KSC (Session::EndSession) : Session::EndSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.EndSession' --header 'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A==' #PxgRetVal from Session.StartSession

Description and cautions The article shares working examples of using KSC API calls for one of the available scenarios - publishing KSC virtual server Administration Agent package. For the Windows version of cURL, you need to specify that the arguments need to be escaped with "\", otherwise there will be an error. For example: 'Authorization: KSCBasic user=\"YXBpLXVzZXI=\", pass=\"cGFzc3dvcmQ=\", internal=\"1\"' Details Prerequisites Make sure you have Kaspersky Administration Agent available in installation packages Make sure you have internal api-user with permissions for Kaspersky Security Center (main and Virtual Kaspersky Security Center) Example KSC address - 127.0.0.1 (the address can also be external and used over the network) API Port - 13299 (default port of KSC API) User: api-user (internal user with Kaspersky Security Center rights for KSC and vKSC), base64: YXBpLXVzZXI= Password: password, base64: cGFzc3dvcmQ= Authentication, type: Authenticated session, other types: KSC Open API description Name vKSC: vksc2, base64: dmtzYzI= Requests are described in cUrl format, it is also possible to use the python library (KlAkOAPI Python package) Session start for connecting to the KSC (Session::StartSession) : Session::StartSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.StartSession' \ --header 'Authorization: KSCBasic user="YXBpLXVzZXI=", pass="cGFzc3dvcmQ=", internal="1"' User and password are transmitted to base64 within a secure HTTPS session. Response { "PxgRetVal": "nsPbUpP1oAVZlM1lODEbg8A==" } Sending request to the KSC server for a list of packages (PackagesApi::GetPackages2) : PackagesApi::GetPackages2 curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/PackagesApi.GetPackages2' \ --header 'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A==' #PxgRetVal from Session.StartSession Retrieving a list of packets. Receiving KLPKG_NPI_PKGID nAgent to transmit packet to vKSC Response { "PxgRetVal": [ {...}, { "type": "params", "value": { "KLPKG_NPI_AV_BASES_UPDATE_TIME": { "type": "datetime", "value": "" }, "KLPKG_NPI_AV_BASES_UPD_SUPPORTED": false, "KLPKG_NPI_CREATION_TIME": { "type": "datetime", "value": "2021-04-30T12:39:00Z" }, "KLPKG_NPI_EXTRA_DATA": { "type": "params", "value": { "KLPGG_VAPM_DISTRIB_GLBID": { "type": "long", "value": 0 }, "KLPKG_EULA_UID": { "type": "binary", "value": "fPTQzfMWVvVPG7bFasjoJw==" }, "KLPKG_FORMAT": 2, "KLPKG_IS_MSI": true, "KLPKG_LANG_TAG": "en", "KLPKG_PARENT_ID": 0, "KLPKG_PKG_MAN": 0, "KLPKG_PLATFORM": 2, "KLPKG_PRD_TYPE": 1, "KLPKG_TYPE": 1, "bPkgPrereqAllowed": true, "nPatchGlbId": { "type": "long", "value": 0 }, "nPatchLcid": 0 } }, "KLPKG_NPI_MODIF_TIME": { "type": "datetime", "value": "2021-04-30T12:39:00Z" }, "KLPKG_NPI_NAME": "Kaspersky Security Center 13 Network Agent (13.0.0.11247)", "KLPKG_NPI_PACKAGE_PATH": "\\\\KSC\\KLSHARE\\Packages\\NetAgent_13.0.0.11247", "KLPKG_NPI_PKGID": 3, "KLPKG_NPI_PRODUCT_DISPL_NAME": "Kaspersky Security Center 13 Network Agent", "KLPKG_NPI_PRODUCT_DISPL_VERSION": "13.0.0.11247", "KLPKG_NPI_PRODUCT_NAME": "1103", "KLPKG_NPI_PRODUCT_VERSION": "1.0.0.0", "KLPKG_NPI_SIZE": { "type": "long", "value": 70113813 }, "KLPKG_NPI_SS_DESCR": "NetAgent_13.0.0.11247\\exec\\ss_install.xml|3" } }, {...} ] } Sending request for the vKSC list (VServers::GetVServers) : VServers:GetVServers curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/VServers.GetVServers' \ --header 'Content-Type: application/json' \ --header 'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A==' \ #PxgRetVal from Session.StartSession --data-raw '{ "lParentGroup": -1 }' Obtaining KLVSRV_DN and KLVSRV_ID Response { "PxgRetVal": [ {...}, { "type": "params", "value": { "KLVSRV_CREATED": { "type": "datetime", "value": "2021-11-23T11:48:53Z" }, "KLVSRV_DN": "vksc2", "KLVSRV_ENABLED": true, "KLVSRV_GROUPS": 29, "KLVSRV_GRP": 0, "KLVSRV_HST_UID": "VSRV64c559dc-17e1-459d-b9d5-4c26ec35d426", "KLVSRV_ID": 3, "KLVSRV_LIC_ENABLED": true, "KLVSRV_NEW_HOSTS_PROHIBITED": false, "KLVSRV_SUPER": 28, "KLVSRV_TOO_MUCH_HOSTS": false, "KLVSRV_UID": "VSRV64c559dc-17e1-459d-b9d5-4c26ec35d426", "KLVSRV_UNASSIGNED": 32 } }, {...} ] } Asynchronous request to transfer the Administration Agent installation package to vKSC and create a standalone package (PackagesApi::RetranslateToVServerAsync) : PackagesApi:RetranslateToVServerAsync curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/PackagesApi.RetranslateToVServerAsync' \ --header 'Content-Type: application/json' \ --header 'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A==' \ #PxgRetVal from Session.StartSession --data-raw '{ "nPackageId": 3, #KLPKG_LANG_TAG from PackagesApi.GetPackages2 "nVServerId": 3, #KLVSRV_ID from VServers.GetVServers "pOptions": { "KLPKG_CREATE_STANDALONE_PRODS": false, "KLPKG_CREATE_STANDALONE_NAGT": true, "KLPKG_USE_LANGUAGE_TAG": "en", #KLPKG_LANG_TAG from PackagesApi.GetPackages2 "KLPKG_TYPE": 1, "KLPKG_LAZY_RETRANSLATION": false } }' Obtaining asynchronous task ID Response { "PxgRetVal": "C51B622B891CB03B7229A3CD9407B6AD" } Checking status of the task (AsyncActionStateChecker::CheckActionState) : AsyncActionStateChecker:CheckActionState curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/AsyncActionStateChecker.CheckActionState' \ --header 'Content-Type: application/json' \ --header 'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A==' \ #PxgRetVal from Session.StartSession --data-raw '{ "wstrActionGuid": "C51B622B891CB03B7229A3CD9407B6AD" #PxgRetVal form PackagesApi.RetranslateToVServerAsync }' Completion ("bFinalized": true) and successful execution ("bSuccededFinalized": true) Response { "bFinalized": true, "bSuccededFinalized": true, "lStateCode": 1, "pStateData": { "KLPKG_EP_EXECID": 11, "KLPKG_EP_FILESIZE": 0 }, "lNextCheckDelay": 0 } Ending session to KSC (Session::EndSession) : Session::EndSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.EndSession' \ --header 'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A==' #PxgRetVal from Session.StartSession Starting session to connect to the virtual KSC (Session::StartSession) : Session::StartSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.StartSession' \ --header 'Authorization: KSCBasic user="YXBpLXVzZXI=", pass="cGFzc3dvcmQ=", internal="1"' \ --header 'X-KSC-VServer: dmtzYzI=' The user can belong to the vKSC or to the main KSC (user account rights for Kaspersky Security Center should additionally be configured in vKSC). The user name and password are transferred to base64 format as part of a secure HTTPS session. X-KSC-VServer - vKSC name (KLVSRV_DN from VServers.GetVServers) to base64 Response { "PxgRetVal": "nz1/AOfHq6cdf986vTvNV7Q==" } Obtaining a list of standalone installation packages from vServer (PackagesApi::GetExecutablePackages) : PackagesApi:GetExecutablePackages curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/PackagesApi.GetExecutablePackages' \ --header 'X-KSC-Session: nz1/AOfHq6cdf986vTvNV7Q==' \ #PxgRetVal from Session.StartSession --header 'Content-Type: application/json' Receiving KLPKG_WebURL Response { "PxgRetVal": { "KLPKG_evpExecs": [ {...}, { "type": "params", "value": { "KLPKG_CreationDate": { "type": "datetime", "value": "2021-11-24T12:07:23Z" }, "KLPKG_EP_SHA256": "", "KLPKG_IsPublished": true, "KLPKG_IsVirtual": true, "KLPKG_LicenseSerialNum": "", "KLPKG_ModificationDate": { "type": "datetime", "value": "2021-11-24T12:07:23Z" }, "KLPKG_NAME": "", "KLPKG_NagentDisplayVersion": "13.0.0.11247", "KLPKG_NagentPkgId": 28, "KLPKG_NagentPkgName": "Kaspersky Security Center 13 Network Agent (13.0.0.11247)", "KLPKG_ProdDisplayName": "", "KLPKG_TargetGroup": "Managed devices", "KLPKG_TargetGroupId": 29, "KLPKG_WebURL": "http://ksc.test.lab:8060/dlpkg?id=12712942", "KLPKG_evpAddPkgId": 28, "KLPKG_evpExecPkgId": 10, "KLPKG_evpPkgId": 28, "KLPKG_evpPkgPath": "", "KLPKG_evpPkgSize": 0 } }, {...} ] } } Standalone Network Agent installation package is available at KLPKG_WebURL for KLPKG_NagentPkgName Session end for vKSC (Session::EndSession) : Session::EndSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.EndSession' \ --header 'X-KSC-Session: nz1/AOfHq6cdf986vTvNV7Q==' #PxgRetVal from Session.StartSession

Description and cautions The article shares working example of using KSC API calls for one of the available scenarios - retrieving events, HW and/or SW inventory data. For the Windows version of cURL, you need to specify that the arguments need to be escaped with "\", otherwise there will be an error. For example: 'Authorization: KSCBasic user=\"YXBpLXVzZXI=\", pass=\"cGFzc3dvcmQ=\", internal=\"1\"' Details Prerequisites internal user: api-user Examples: KSC address - 127.0.0.1 (the address can also be external) API Port - 13299 (default) User: api-user (intrental KSC user), base64: YXBpLXVzZXI= Password: password, base64: cGFzc3dvcmQ= Credentials: User Password api-user password Base64: YXBpLXVzZXI= cGFzc3dvcmQ= Authentication, type: Authenticated session, other types: KSC Open API description All requests are in cUrl format, as an alternative it is also possible to use Python library (KlAkOAPI Python package) Login Start connection to KSC (Session::StartSession ) Session::StartSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.StartSession' \ --header 'Authorization: KSCBasic user="YXBpLXVzZXI=", pass="cGFzc3dvcmQ=", internal="1"' Username and password should be encoded to base64 format as part of a secure HTTPS session. For example, https://www.base64encode.org/ can be used for encoding. Response { "PxgRetVal": "nsPbUpP1oAVZlM1lODEbg8A==" } Use below token in request header Find Host Find host by filter string (HostGroup::FindHosts) Filter string contains a condition over host attributes, see also Search filter syntax. We use "KLHST_WKS_DN" - Host display name HostGroup::FindHosts curl --location --request POST "https://127.0.0.1:13299/api/v1.0/HostGroup.FindHosts" --header "X-KSC-Session: nqepy9ZpZZ/2tiWXhil5cBg==" --header "Content-Type: application/json" --data-raw "{ \"vecFieldsToReturn\":[\"KLHST_WKS_HOSTNAME\",\"KLHST_WKS_DN\",\"KLHST_WKS_IP_LONG\",\"KLHST_WKS_PRODUCT_TAG_NAME\",\"KLHST_WKS_RTP_AV_VERSION\",\"KLHST_WKS_NAG_VERSION\",\"KLHST_WKS_LAST_UPDATE\",\"KLHST_WKS_LAST_UPDATE\",\"KLHST_WKS_VIRUS_COUNT\"], \"lMaxLifeTime\":1200, \"wstrFilter\":\"(KLHST_WKS_DN=\\"WIN10-OPTIMUM-1\\")\" #"KLHST_WKS_DN" - Host display name }" Response ID Response {"strAccessor":"ppYeO5rmkvKcMUm8vQzOK2","PxgRetVal":1} Copy Accessor for next request (ChunkAccessor::GetItemsChunk ) ChunkAccessor::GetItemsChunk curl -L -X POST "https://127.0.0.1:13299/api/v1.0/ChunkAccessor.GetItemsChunk" -H "X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg==" -H "Content-Type: application/json" --data-raw "{ \"strAccessor\":\"fb07haDqXIKZbQzyDsMwx1\", \"nStart\": 0, \"nCount\": 100 }" Response info about host: Response {"pChunk":{"KLCSP_ITERATOR_ARRAY":[{"type":"params","value":{"KLHST_WKS_DN":"WIN10-OPTIMUM-1","KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","KLHST_WKS_IP_LONG":{"type":"long","value":172250504},"KLHST_WKS_LAST_UPDATE":{"type":"datetime","value":"2022-02-17T13:00:01Z"},"KLHST_WKS_NAG_VERSION":"13.2.0.1511","KLHST_WKS_RTP_AV_VERSION":"11.7.0.669","KLHST_WKS_VIRUS_COUNT":{"type":"long","value":9}}}]},"PxgRetVal":1} Copy value "KLHST_WKS_HOSTNAME" for user in the next request Hardware Inventory SrvView Find srvview data by filter string (SrvView::ResetIterator) "wstrViewName" - see List of supported srvviews. "vecFieldsToReturn" - see https://support.kaspersky.com/help/KSC/13.1/KSCAPI/a00307.html "wstrFilter":"(KLHST_WKS_HOSTNAME=\"c0816918-fbc5-4fbc-8fed-6f245756120e\")" SrvView::ResetIterator curl -L -X POST "https://127.0.0.1:13299/api/v1.0/SrvView.ResetIterator" -H "X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg==" -H "Content-Type: application/json" --data-raw "{ \"wstrViewName\":\"HWInvPCSrvViewName\", \"vecFieldsToReturn\":[\"KLHST_WKS_HOSTNAME\",\"dev_id\",\"RamType\",\"dev_type\"], \"vecFieldsToOrder\":[{\"type\":\"params\",\"value\":{\"Name\":\"dev_id\",\"Asc\":\"true\"}}], \"lifetimeSec\":100, \"pParams\":{\"TOP_N\":\"yes\",\"USE_DISTINCT\":\"true\"}, \"wstrFilter\":\"(KLHST_WKS_HOSTNAME=\\"c0816918-fbc5-4fbc-8fed-6f245756120e\\")\" # KLHST_WKS_HOSTNAME from the previous request }" Response ID Response {"wstrIteratorId":"466579A79FA755D69B94EC60A5B04744"} GetRecordRange from Response data (SrvView.GetRecordRange ) SrvView.GetRecordRange curl -L -X POST "https://127.0.0.1:13299/api/v1.0/SrvView.GetRecordRange" -H "X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg==" -H "Content-Type: application/json" --data-raw "{ \"wstrIteratorId\":\"50054D2A2D7A93DCEBFA3BE6F7E21D5E\", \"nStart\": 0, \"nEnd\": 100 }" Response info about hardware with specific filter: Response {"pRecords":{"KLCSP_ITERATOR_ARRAY":[{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"ABE3CC21B521C704DA4FC63BD5698F71","dev_type":1}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"DISPLAY\\DEFAULT_MONITOR\\1&1F0C3C2F&0&UID256","dev_type":7}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"DISPLAY\\DEFAULT_MONITOR\\4&31BE19FA&0&UID0","dev_type":7}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"E05564F28A7EBE312D1326FD0D1A8479","dev_type":1}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"E69E8830E7D33F96BF1E21996A7D73CA","dev_type":0}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"PCI\\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\\3&18D45AA6&0&78","dev_type":4}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"PCI\\VEN_8086&DEV_10D3&SUBSYS_07D015AD&REV_00\\005056FFFF87CC6600","dev_type":6}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"Physical Memory 0","dev_type":2}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"SCSI\\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\\5&A629540&0&000000","dev_type":8}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"SCSI\\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\\5&1982005&0&000000","dev_type":3}},{"type":"params","value":{"KLHST_WKS_HOSTNAME":"c0816918-fbc5-4fbc-8fed-6f245756120e","dev_id":"SWD\\REMOTEDISPLAYENUM\\RDPIDD_INDIRECTDISPLAY&SESSIONID_0002","dev_type":4}}]}} Software Inventory Acquire software applications which are installed on specified host. (InventoryApi::GetHostInvProducts) "szwHostId" - WKS_HOSTNAME form previosly request InventoryApi::GetHostInvProducts curl -L -X POST "https://127.0.0.1:13299/api/v1.0/InventoryApi.GetHostInvProducts" -H "X-KSC-Session: noOxgI9Ny7O5Whg/97qvcVg==" -H "Content-Type: application/json" --data-raw "{ \"szwHostId\":\"c0816918-fbc5-4fbc-8fed-6f245756120e\", # KLHST_WKS_HOSTNAME from previuosly reqest \"pParams\":{\"KLEVP_EA_PARAM_1\":\"\"} }" Response info about software: Response {"PxgRetVal":{"GNRL_EA_PARAM_1":[{"type":"params","value":{"ARPRegKey":"{F4ECE08F-50E9-44E2-A2F3-2F3C8DDF8E16}","CleanerProductName":"","Comments":"","DisplayName":"Kaspersky Endpoint Security for Windows","DisplayVersion":"11.7.0.669","HelpLink":"https://click.kaspersky.com/?hl=en&link=support&pid=kes&version=21.4.20.669","HelpTelephone":"","InstallDate":"20211002","InstallDir":"C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\\","InstanceID":{"type":"binary","value":"AA=="},"LangId":1033,"PackageCode":"","ProductID":"4E8A2680B3C78565814848DB5ED35C83","Publisher":"AO Kaspersky Lab","QuietUninstallString":"msiexec.exe /X {F4ECE08F-50E9-44E2-A2F3-2F3C8DDF8E16} /quiet /norestart","UninstallString":"msiexec.exe /x {F4ECE08F-50E9-44E2-A2F3-2F3C8DDF8E16}","VapmBuild":{"type":"long","value":0},"bIsMsi":true}},{"type":"params","value":{"ARPRegKey":"{8c3f057e-d6a6-4338-ac6a-f1c795a6577b}","CleanerProductName":"","Comments":"","DisplayName":"Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.20.27508","DisplayVersion":"14.20.27508.1","HelpLink":"","HelpTelephone":"","InstallDate":"20210512","InstallDir":"","InstanceID":{"type":"binary","value":"AA=="},"LangId":0,"PackageCode":"","ProductID":"2E30B54FFAFE11F6DEDB0A31EA8CD6D1","Publisher":"Microsoft Corporation","QuietUninstallString":"\"C:\\ProgramData\\Package Cache\\{8c3f057e-d6a6-4338-ac6a-f1c795a6577b}\\VC_redist.x86.exe\" /uninstall /quiet","UninstallString":"\"C:\\ProgramData\\Package Cache\\{8c3f057e-d6a6-4338-ac6a-f1c795a6577b}\\VC_redist.x86.exe\" /uninstall","VapmBuild":{"type":"long","value":0},"bIsMsi":false}}, ....... Tasks Operations #strTask - open task in nmc-web-console - 1326 (for example: https://localhost:8080/#/management/tasks/148) Get Task Acquire attributes of specified task. (Tasks::GetTask) Response Response {"PxgRetVal":{"DisplayName":"KEA - Isolation ON","PRTS_TASK_CREATION_DATE":{"type":"datetime","value":"2022-02-10T13:57:34Z"},"TASKID_PRODUCT_NAME":"1093","TASKID_VERSION":"1.0.0.0","TASK_NAME":"Remote Installation","TASK_UNIQUE_ID":"1326"}} Run task Run remote installation task. Start specified task. Tasks::RunTask curl -L -X POST "https://127.0.0.1:13299/api/v1.0/Tasks.RunTask" -H "X-KSC-Session: nGPT3zYhYOveOJ9qnbRAjpQ==" -H "Content-Type: application/json" --data-raw "{ \"strTask\":\"1326\" # From NWC-web-cosnole ksc }" Update Task Get Data Task Acquire task settings. Tasks::GetTaskData GetData Task curl -L -X POST "https://localhost:13299/api/v1.0/Tasks.RunTask" -H "X-KSC-Session: nGPT3zYhYOveOJ9qnbRAjpQ==" -H "Content-Type: application/json" --data-raw "{ \"strTask\":\"1326\" }" Response all parameters and some of them we must use in next request. Modify task settings. Tasks::UpdateTask Update Task POST /api/v1.0/Tasks.UpdateTask HTTP/1.1 Host: localhost:13299 X-KSC-Session: n8quj71CtoWbYijcBHY6FvA== Content-Type: application/json Content-Length: 3477 { "strTask":"1338", "pData":{ "TASKID_COMPONENT_NAME":"87", "TASKID_PRODUCT_NAME":"1093", "TASKID_VERSION":"1.0.0.0", "TASK_NAME":"Remote Installation", "TASKSCH_TYPE":0, "TASK_ADDITIONAL_PARAMS":{"type":"params","value":{"KLNAG_TASK_REMOTE_INSTALL_ACCOUNT":"","KLNAG_TASK_REMOTE_INSTALL_ACCOUNT_PSWD":{"type":"binary","value":""},"KLSRV_COUPLED_NAGT_TSID":"9066e3c9-c709-434f-9196-88dcf4c70c23","KLTSK_RI_CHECK_OS":true,"KLTSK_RI_GROUP_TO_MOVE_HOST":-1,"KLTSK_RI_MAX_DOWNLOADS":5,"KLTSK_RI_MGD_BY_OTHER_SERVER":0,"KLTSK_RI_PACKAGES_GUIDS":["e71217d1-4a96-462c-a56a-6112bdc5369b:65"],"KLTSK_RI_PACKAGES_IDS":[65],"KLTSK_RI_ROOT":{"type":"binary","value":""},"KLTSK_RI_SKIP_PRESENT_PRODS":true,"KLTSK_RI_TMP_FOLDER":"","KLTSK_RI_USE_NAGENT":true,"KLTSK_RI_USE_SHARE":true,"KLTSK_RI_USE_SHARE_SRV":true,"KLTSK_RI_USE_SHARE_UA":false,"MaxTryCount":3,"UseGPO":false,"klprts-TaskAccountUser":"","klprts-TaskAccounts":[],"klprts-TaskMaxRunningTime":7200000,"klprts-TaskStorageId":"dd64d20d-c529-4d47-a854-38c1c2c77a77"}}, "PRTS_TASK_GROUPID":-1, ".HstQueryId":0, "TASK_INFO_PARAMS":{"type":"params","value":{"DisplayName":"KEA - Isolation ON for specific host","HostList":[{"type":"params","value":{"HostDispName":"WIN10-KES-11OLD","HostName":"6294f978-292d-4b5f-aa57-bb429147687b","Preliminary":false}},{"type":"params","value":{"HostDispName":"ATM-01","HostName":"ba973373-8120-47a0-9989-686cba2430af","Preliminary":false}}],"KLEVP_NOTIFICATION_DESCR_ID":"9b84b28a-e47b-4120-8147-bb67fef681ea","KLPRSS_EVPNotifications":{"type":"params","value":{"ERR":[{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}],"INF":[{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":2}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLEVP_GroupTaskSyncState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":4}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":1}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}],"WRN":[{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}]}},"KLSRV_PRTS_TASK_ENABLED_FLAG":true,"KLTSK_ALLOW_AUTO_RANDOMIZATION":true,"PRTS_TASK_CREATION_DATE":{"type":"datetime","value":"2022-02-15T11:40:43Z"},"PRTS_TASK_GROUPID":-1,"PRTS_TASK_TARGET_COMPUTERS_TYPE":0,"klprts-DontApplyToSlaveServers":true,"klprts-TaskMaxRunningTime":7200000,"klprts-TaskScheduleSubtype":256,"klprts-TaskScheduleSubtypeEx":0}} } } Change values for HostList and enter specific host. For example: "HostList":[{"type":"params","value":{"HostDispName":"WIN10-KES-11OLD","HostName":"6294f978-292d-4b5f-aa57-bb429147687b","Preliminary":false}},{"type":"params","value":{"HostDispName":"ATM-01","HostName":"ba973373-8120-47a0-9989-686cba2430af","Preliminary":false}}] { "strTask":"1338", "pData":{ "TASKID_COMPONENT_NAME":"87", "TASKID_PRODUCT_NAME":"1093", "TASKID_VERSION":"1.0.0.0", "TASK_NAME":"Remote Installation", "TASKSCH_TYPE":0, "TASK_ADDITIONAL_PARAMS":{"type":"params","value":{"KLNAG_TASK_REMOTE_INSTALL_ACCOUNT":"","KLNAG_TASK_REMOTE_INSTALL_ACCOUNT_PSWD":{"type":"binary","value":""},"KLSRV_COUPLED_NAGT_TSID":"9066e3c9-c709-434f-9196-88dcf4c70c23","KLTSK_RI_CHECK_OS":true,"KLTSK_RI_GROUP_TO_MOVE_HOST":-1,"KLTSK_RI_MAX_DOWNLOADS":5,"KLTSK_RI_MGD_BY_OTHER_SERVER":0,"KLTSK_RI_PACKAGES_GUIDS":["e71217d1-4a96-462c-a56a-6112bdc5369b:65"],"KLTSK_RI_PACKAGES_IDS":[65],"KLTSK_RI_ROOT":{"type":"binary","value":""},"KLTSK_RI_SKIP_PRESENT_PRODS":true,"KLTSK_RI_TMP_FOLDER":"","KLTSK_RI_USE_NAGENT":true,"KLTSK_RI_USE_SHARE":true,"KLTSK_RI_USE_SHARE_SRV":true,"KLTSK_RI_USE_SHARE_UA":false,"MaxTryCount":3,"UseGPO":false,"klprts-TaskAccountUser":"","klprts-TaskAccounts":[],"klprts-TaskMaxRunningTime":7200000,"klprts-TaskStorageId":"dd64d20d-c529-4d47-a854-38c1c2c77a77"}}, "PRTS_TASK_GROUPID":-1, ".HstQueryId":0, "TASK_INFO_PARAMS":{"type":"params","value":{"DisplayName":"KEA - Isolation ON for specific host","HostList":[{"type":"params","value":{"HostDispName":"WIN10-KES-11OLD","HostName":"6294f978-292d-4b5f-aa57-bb429147687b","Preliminary":false}},{"type":"params","value":{"HostDispName":"ATM-01","HostName":"ba973373-8120-47a0-9989-686cba2430af","Preliminary":false}}],"KLEVP_NOTIFICATION_DESCR_ID":"9b84b28a-e47b-4120-8147-bb67fef681ea","KLPRSS_EVPNotifications":{"type":"params","value":{"ERR":[{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}],"INF":[{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":2}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLEVP_GroupTaskSyncState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":4}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}},{"type":"params","value":{"KLEVP_ND_BODY_FILTER":{"type":"params","value":{"KLPRCI_newState":1}},"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}],"WRN":[{"type":"params","value":{"KLEVP_ND_DAYS_TO_STORE_EVENT":7,"KLEVP_ND_EVETN_TYPE":"KLPRCI_TaskState","KLEVP_ND_STORE_AT_CLIENT_LOG":false,"KLEVP_ND_STORE_AT_CLIENT_PRES":false,"KLEVP_ND_STORE_AT_SERVER_LOG":false}}]}},"KLSRV_PRTS_TASK_ENABLED_FLAG":true,"KLTSK_ALLOW_AUTO_RANDOMIZATION":true,"PRTS_TASK_CREATION_DATE":{"type":"datetime","value":"2022-02-15T11:40:43Z"},"PRTS_TASK_GROUPID":-1,"PRTS_TASK_TARGET_COMPUTERS_TYPE":0,"klprts-DontApplyToSlaveServers":true,"klprts-TaskMaxRunningTime":7200000,"klprts-TaskScheduleSubtype":256,"klprts-TaskScheduleSubtypeEx":0}} } } Run Task Host Events Create event processing iterator with filter (EventProcessingFactory::CreateEventProcessing2 ) pFilter (params) object containing values for attributes to filter events. Only events with matching attribute values will be returned. If empty all events will be returned. See List of event filter attributes for attribute names. "GNRL_EA_SEVERITY" paramInt Event severity. May have the following values: 0 - Constant to be used as invalid event severity value 1 - Severity "Information" 2 - Severity "Warning" 3 - Severity "Error" 4 - Severity "Critical" vecFieldsToReturn (array) array of attribute names to return. See List of event attributes for attribute names #host id - FindHost EventProcessingFactory::CreateEventProcessing2) POST /api/v1.0/EventProcessingFactory.CreateEventProcessing2 HTTP/1.1 Host: localhost:13299 X-KSC-Session: nvLZ4Hwi5VAL7XIiMwPaxPw== Content-Type: application/json Content-Length: 440 { "pFilter": { "KLEVP_EVENT_HOST":"a537ddc0-b84b-488a-993c-9f76e62036e9", #host id "GNRL_EA_SEVERITY":4 #Critical Event }, "vecFieldsToReturn": [ "GNRL_EA_SEVERITY", "event_db_id", "rise_time", "hostname", "event_type", "event_type_display_name", "GNRL_EA_DESCRIPTION", "group_id", "group_name" ], "vecFieldsToOrder": [], "lifetimeSec": 1000 } Response ID Response {"strIteratorId":"A07B69A5347CF435DB66C0FA826371FF"} Get result from Response data ( ReportManager::GetStatisticsData) : EventProcessing::GetRecordRange curl --location --request POST 'https://localhost:13299/api/v1.0/EventProcessing.GetRecordRange' --header 'X-KSC-Session: nT0T9KvkIKlgHGGaZ60j38Q==' --header 'Content-Type: application/json' --data-raw '{ "strIteratorId":"A07B69A5347CF435DB66C0FA826371FF", "nStart": 0, "nEnd": 100 }' Response critical events: Response {"pParamsEvents":{"KLEVP_EVENT_RANGE_ARRAY":[{"type":"params","value":{"GNRL_EA_DESCRIPTION":"Event type: KSN servers unavailable\r\nName: avp.exe\r\nApplication path: C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\r\nProcess ID: 18446744073709551615\r\nUser: SALES\\markovets (Active user)\r\nComponent: Protection","GNRL_EA_SEVERITY":4,"event_db_id":{"type":"long","value":119829},"event_type":"000007e7","event_type_display_name":"KSN servers unavailable","group_id":5,"group_name":"KEDR-O","hostname":"a537ddc0-b84b-488a-993c-9f76e62036e9","rise_time":{"type":"datetime","value":"2022-03-04T09:10:44Z"}}},{"type":"params","value":{"GNRL_EA_DESCRIPTION":"Event type: KSN servers unavailable\r\nName: avp.exe\r\nApplication path: C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\r\nProcess ID: 18446744073709551615\r\nUser: SALES\\markovets (Active user)\r\nComponent: Protection","GNRL_EA_SEVERITY":4,"event_db_id":{"type":"long","value":119818},"event_type":"000007e7","event_type_display_name":"KSN servers unavailable","group_id":5,"group_name":"KEDR-O","hostname":"a537ddc0-b84b-488a-993c-9f76e62036e9","rise_time":{"type":"datetime","value":"2022-03-04T09:05:34Z"}}},{"type":"params","value":{"GNRL_EA_DESCRIPTION":"Event type: KSN servers unavailable\r\nName: avp.exe\r\nApplication path: C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Endpoint Security for Windows\r\nProcess ID: 18446744073709551615\r\nUser: SALES\\markovets (Active user)\r\nComponent: Protection","GNRL_EA_SEVERITY":4,"event_db_id":{"type":"long","value":119807},"event_type":"000007e7","event_type_display_name":"KSN servers unavailable","group_id":5,"group_name":"KEDR-O","hostname":"a537ddc0-b84b-488a-993c-9f76e62036e9","rise_time":{"type":"datetime",........ Close Session to KSC (Session::EndSession) : Session::EndSession curl --location --request POST 'https://127.0.0.1:13299/api/v1.0/Session.EndSession' --header 'X-KSC-Session: nsPbUpP1oAVZlM1lODEbg8A==' #PxgRetVal from Session.StartSession

Description and cautions Sometimes you may need KWTS to write syslog messages to different log's name or/and path. We're talking about this setting: Steps below were performed on Centos 7+ x64 and Ubuntu 20.04/22.04 x64 KWTS 6.1 NOT ISO By default it's set to local1, and depending on OS KWTS writes syslog messages to: 1) CentOS > /var/log/messages 2) Ubuntu > /var/log/syslog Details So here's how to change default behavior: Change value on web interface to, for instance, local0 Modify /var/opt/kaspersky/kwts/postgresql/postgresql.conf , so it should look like this: Modify files like this: -For CentOS /etc/rsyslog.conf -For Ubuntu /etc/rsyslog.d/50-default.conf (actually it could be different name, but this one is default for clean installation of Ubuntu) Configure rotation for your /var/log/kwts-syslog.log (name it as you wish) -For CentOS /etc/logrotate.d/syslog, you can just append it to current rotation settings or configure your own parameters (refer to online documentation) -For Ubuntu /etc/logrotate.d/syslog (you can create your own param eters as well) Reboot OS and finally check that KWTS writes syslog messages to your new log with cat /var/log/kwts-syslog.log command.

Problem When user is added to a lot of AD groups, he may be unable to login to web interface of KATA via SSO. Step-by-step guide Modify /etc/opt/kaspersky/apt-swarm/swarm_config.json like this (set buffer_size to 65535 under uwsgi section - it's on bottom of the file) 2. Execute via SSH apt-settings-manager get /configuration/web_backend | python -m json.tool > /tmp/web_backend 3. vim /tmp/web_backend 4. Find uwsgi and change value as per below, save file "uwsgi": { "buffer_size": 65535, "cache2": [ 5. Put settings back apt-settings-manager set /configuration/web_backend @/tmp/web_backend 6. Execute docker ps | grep nginx Output will be similar like this: 39c125e0546e kaspersky/kata/web/nginx_gateway:0e5fabb Write down somewhere this value 39c125e0546e (yours will be different). 7. Execute docker exec -it 39c125e0546e bash echo "large_client_header_buffers 8 64k;" > /etc/nginx/conf.d/large_buffers.conf nginx -s reload exit 8. Do the same (6-7) for container web_backend 9. However, if containers web_backend and nginx_gateway will be restarted, changes in 6-7 will be lost, thus you can quickly put back settings like this: docker exec -it `docker ps | grep web_backend | awk '{print $1}'` bash -c 'echo "large_client_header_buffers 8 64k;" > /etc/nginx/conf.d/large_buffers.conf && nginx -s reload' docker exec -it `docker ps | grep nginx_gateway | awk '{print $1}'` bash -c 'echo "large_client_header_buffers 8 64k;" > /etc/nginx/conf.d/large_buffers.conf && nginx -s reload'

Problem Description, Symptoms & Impact When downloading large collects (sandbox-debug-report) exceeding 1Gb in size, download suddenly fails above 1Gb (at ~1 05x xxx KB). Diagnostics Reproducible in all browsers, is not bound to download speed, dowloaded part size is roughly 1Gb Workaround & Solution Workaround: download sandbox-debug-report using SCP and CLI, see https://forum.kaspersky.com/topic/how-to-gather-sandbox-debug-report-from-terminal-katakedre-36851/ Solution: From root, add directive uwsgi_max_temp_file_size 0; to the file /etc/nginx/conf.d/sandbox-ram-frontend.conf on sandbox, as follows: /etc/nginx/conf.d/sandbox-ram-frontend.conf location ~ ^/api/(.*) { rewrite ^/api/(.*)$ $1 break; uwsgi_pass ram_backend; uwsgi_read_timeout 900; client_max_body_size 2048m; include uwsgi_params; uwsgi_max_temp_file_size 0; <---add this line } Apply the changes by reloading nginx configuration: nginx -s reload RCA uwsgi built-in temp file size limit of 1Gb is applied unless other limit is specified directly.

Here we try to describe the proper scenario of device deletion. First of all, you need to put device into Marked for deletion list. After it, if device still syncing with KES Cloud, applications will be uninstalled automatically and device will be deleted. Here is the article with detailed information. You can be confused by the option "Permanently delete" options. Please note that this option should be used to delete entry from this list. It can be useful when machine is not syncing anymore with KES Cloud and there is only entry in the list. To delete this entry you can use option "Permanently Delete". If machine is still working and syncing with network agent, you should not use this option, because after entry deletion it will appear again in console, after the first successful sync. You should wait for the automatic deletion of applications or delete it manually. To delete device properly, you need to wait till the uninstallation process will be performed or force it by the option "Run uninstallation now" in device properties. You should not do it for all devices, when you start this feature for one it will be started for others too.

Issue "Databases and modules update task" is configured for hosts with LENA 3.12 installed. Task is executed via KSC. Diagnostics "Activate KEA" task is configured for the hosts with LENA or has been configured and deleted in the past. An update is executed locally, using lenactl works. KLNagent successfully synchronizes with the server. Other installed applications (e.g. KESL) display no synchronization issues. Workaround To fix the issue: Remove the "Activate KEA" task or any other configured KEA tasks except for "Databases and modules update task" for hosts with LENA installed. If necessary, move hosts with LENA to a separate group or configure other desired KEA tasks using a selection for Windows hosts only. Ensure there are no tasks except for "Databases and modules update task" remaining for hosts with LENA installed in KSC. Option A. Reinstall LENA on hosts to get rid of cached activation tasks. Option B. Remove the problematic cached tasks locally: Stop LENA: # systemctl stop epagent Remove the cached tasks: # rm -rf /var/opt/kaspersky/epagent/tasks/* Start LENA # systemctl start epagent Force synchronization with the host, e.g. by calling klnagchk. # /opt/kaspersky/klnagent64/bin/klnagchk Ensure one task is recieved. # ll /var/opt/kaspersky/epagent/tasks/ Execute "Databases and modules update task" on KSC. Ensure it finishes successfully. Double check locally that the bases are updated. RCA LENA connector that receives the product tasks from KLNagent is only configured to accept valid tasks ant halt synchronization if an invalid task is received. Only "Databases and modules update task" is considered to be valid for certified LENA version. "Activate KEA" task is received or cached first. Connector halts synchronization once it is processed. An update task is never received by the product.

NOTE: KSC CC is a cloud solution and its IP can be changed. Run klnagchk utility on connected to target workspace host. Find KSC CC server address in klnagchk output. It should looks like eXXX.ksc.kaspersky.com. Use nslookup utility to find the IP address of this server.

Description and cautions That article is describing a specific scenario: HA Cluster KSC with 4 CGWs between two different and geographical isolation DC (Data Center). High level procedure: KLAdmins group: ksc, rightless / gmsa-ksc-server, gmsa-ksc-nwc; $KSC-NODE-1, $KSC-NODE-2, $SQL-SRV / sql / gmsa-sql-server SMB shares: data, state, sc_backup, kl-share | SMB Permissions NTFS ACL - - Full Control for KLAdmins Created MS SQL Database - KLFOC | Grand Access for admin server account Reboot servers Map network drivers - data, state Install KLFOC Details Here below is the detailed step-by-step procedure: General terms HA - High availability DC - Data Center CGW - Connection Gateway gMSA - Group Managed Service Accounts WSFC - Windows Server Failover Cluster Prerequisites Hardware and software requirements To deploy a Kaspersky failover cluster, you must have the following hardware: x2 Windows Server with identical hardware and software. These servers will act as the active and passive nodes. OS Windows Server 2019 Activated & configured OS Windows Server 2019 on 2x servers. Latest Windows updates & drivers installed. Windows Firewall Disabled Windows firewall on 2x KSC server nodes DNS A & PTR records for Nodes 2x IP address for the KSC nodes Internet connectivity For 2x KSC server nodes 1. For downloading signatures and application updates on KSC cluster. 2. For downloading third party updates of vulnerability and patch management (if applicable). Microsoft OLE DB Driver for SQL Server | Link Introduce multi-subnet failover capabilities in this first upcoming release, and keeps up with latest TLS 1.2 standards Connection with TLS 1.2 1. Make sure that remote SQL Server (or SQL Express) used by the Administration Server is a really 64-bit application (sqlservr.exe is a 64-bit process) 2. At the computer with Administration Server installed do the following: Install MSOLEDBSQL provider and reboot the computer if required Set KLDBADO_UseMSOLEDBSQL=1 i. either by defining global environment variable KLDBADO_UseMSOLEDBSQL=1 ii. ii. or by setting Administration Server flag KLDBADO_UseMSOLEDBSQL=1 using klscflag.exe. klscflag.exe -fset -pv klserver -n KLDBADO_UseMSOLEDBSQL -v 1 -t d Reboot the computer if required 3. Make sure that Administration Console successfully connects Administration Server and Kaspersky Event Log at the Administration Server computer does not contain errors like 'Generic db error: "11526 '{42000} The metadata could not be determined' File server that supports the CIFS/SMB protocol, version 2.0 or higher. A server that is participating in a WSFC. Make sure you have provided high network bandwidth between the file server, and the active and passive nodes. DBMS | MS SQL cluster on WSFC with Always On availability groups. MS SQL cluster SQL Server Failover Cluster Installation Listener DNS Name Specifies the DNS host name of the availability group listener. The DNS name is a string must be unique in the domain and in NetBIOS Microsoft OLE DB Driver for SQL Server | Link Introduce multi-subnet failover capabilities in this first upcoming release, and keeps up with latest TLS 1.2 standards Pre-created Database on MS SQL cluster (DB name should be one word without special characters) Grand permission "DB Owner" for account under which the services of Kaspersky Security Center will run. Switch conditions The failover cluster switches protection management of the client devices from the active node to the passive node with CGs in LAN or DMZ network if any of the following events occurs on the active node: The active node\LAN-CGW\DMZ-CGW is broken due to a software or hardware failure. The active node was temporarily stopped for maintenance activities. At least one of the Kaspersky Security Center services (or processes) failed or was deliberately terminated by user. The Kaspersky Security Center services are the following ones: kladminserver, klnagent, klactprx, and klwebsrv. The network connection between the active node and the storage on the file server was interrupted or terminated. Deployment of a Kaspersky failover cluster Creating an account for Kaspersky Security Center services Create a new domain group, name it 'KLAdmins', and then grant the local administrator's permissions to the group on both nodes and on the file server. Then create two new domain user accounts, name them 'ksc' and 'rightless', and add the accounts to the KLAdmins domain group. Add the user account, under which Kaspersky Security Center will be installed, to the KLAdmins domain group. Domain accounts Account for installer running - Local admin Creating accounts for the Administration Server services Accounts for work with the DBMS gMSA service account 1. gMSA service account will be used to run tKaspersky Security Center 13 Administration Server services. How to create gMSA account https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts 2. gMSA service account must have Dbo role permission on the pre-created Kaspersky database running MS SQL cluster. Dbo schema must be used by default. For more details on required permissions to be assigned https://support.kaspersky.com/KSC/12/en-US/156275.htm 3. Assign domain admin permission for KSC installation process only. KLAdmins - Global security group: Administration Server account - Domain\gMSA Account for other services from the Administration Server pool - Rightness Computers accounts $ksc-node1 and $ksc-node2 SQL account - Domain\gMSA or computer account $SQL-server File server preparation Prepare the file server to work as a component of the Kaspersky failover cluster. Make sure that the file server meets the hardware and software requirements, create two shared folders for Kaspersky Security Center data, and configure permissions to access the shared folders. Step Description 1 Make sure that the file server meets the hardware and software requirements. 2 Make sure that the file server and both nodes (active and passive) are included in the same domain or the file server is the domain controller. 3 On the file server, create Shared folders: data, state, klshare and SC_Backup on fileserver. One of them is used to keep information about the failover cluster state. The other one is used to store the data and settings of Kaspersky Security Center. 4 Grant full access permissions (both share permissions and NTFS permissions) to the created shared folders for the following user accounts and groups: Computers accounts $ksc-node1 and $ksc-node2 SQL account - Domain\gMSA or computer account $SQL-server Preparation of active and passive nodes Prepare two computers with identical hardware and software to work as the active and passive nodes. To prepare nodes for a Kaspersky failover cluster: Make sure that you have two computers that meet the hardware and software requirements. These computers will act as the active and passive nodes of the failover cluster. Make sure that the file server and both nodes are included in the same domain. Do one of the following: Skip this step and configurarion CGWs after installation KLFOC On each of the nodes, create a virtual network adapter The virtual network adapters must be disabled. You can create the virtual network adapters in the disabled state or disable them after creation. The virtual network adapters on both nodes must have the same IP address. Use a third-party load balancer. For example, you can use an nginx server. In this case, do the following: Provide a dedicated Linux-based computer with nginx installed. Configure load balancing. Set the active node as the main server and the passive node as the backup server. On the nginx server, open all of the Administration Server ports: TCP 13000, UDP 13000, TCP 13291, TCP 13299, and TCP 17000. Restart both nodes and the file server. Map the two shared folders, that you created during the file server preparation step, to each of the nodes. You must map the shared folders as network drives. When mapping the folders, you can select any vacant drive letters. To access the shared folders, use the credentials of the user account that you created before. The nodes are prepared. Database Management System (DBMS) installation Select any of the supported DBMS, and then install the DBMS on a dedicated computer. For best practice, will use HA configuration of DBMS\SQL. MS SQL cluster on WSFC with Always On availability groups. MS SQL cluster SQL Server Failover Cluster Installation Listener DNS Name Specifies the DNS host name of the availability group listener. The DNS name is a string must be unique in the domain and in NetBIOS Microsoft OLE DB Driver for SQL Server | Link Introduce multi-subnet failover capabilities in this first upcoming release, and keeps up with latest TLS 1.2 standards DB - KLFOC Create Database with specified name and grand permission "DB Owner" for account under which the services of Kaspersky Security Center will run. DB - KLFOC - Create Database with specified name and grand permission "DB Owner" for account under which the services of Kaspersky Security Center will run. Pre-created Database on MS SQL cluster (DB name should be one word without special characters) Kaspersky Security Center installation Install Kaspersky Security Center in the failover cluster mode on both nodes. You must first install Kaspersky Security Center on the active node, and then install it on the passive one. How-to instructions: Installing Kaspersky Security Center on the Kaspersky failover cluster nodes Specifying the Administration Server certificate If necessary, you can assign a special certificate for Administration Server by using the command-line utility klsetsrvcert. To replace the certificate you must create a new one (for example, by means of the organization's PKI) in PKCS#12 format and pass it to the klsetsrvcert utility klsetsrvcert.exe --stp klfoc -t C -i "C:\KLFOC\new-cert.pfx -p "<password>" -l "new-cert-change.log" -o "NoCA" When the certificate is replaced, all Network Agents that were previously connected to Administration Server through SSL lose their connection and return "Administration Server authentication error". To specify the new certificate and restore the connection, you can use the klmover utility. Settings LAN\DMZ Gateways Assigning Workstations (LAN-GW) to act as a distribution point Enable feature "Connection Gateway" Adding a connection gateways in the DMZ as a distribution point Install external gateways with the setting that this is a connection gateway in the DMZ On the KSC, add a distribution point as a connection gateway in the DMZ KSC initiates a connection to gateway and the gateway will appear as a distribution point Open the properties and set the checkbox in the Connection gateway section Create group for GW and add workstations with installed DPs and GWs Configuration for Network Agent Policy Create 2 groups for workstations DC-1 and DC-2 and group for GW For both groups create policies: Network Agent DC-1 Network Agent DC-2 Add Connection profiles and Network Locations for users DC-1 and DC-2 Testing the failover cluster Check that you configured the failover cluster correctly and that it works properly. For example, you can stop one of the Kaspersky Security Center services on the active node: kladminserver, klnagent, ksnproxy, klactprx, or klwebsrv. After the service is stopped, the protection management must be automatically switched to the passive node. Troubleshooting DB Error Check permissions for gMSA account KLBACKUP Run klbackup utulity with --stp klfoc klbackup --stp klfoc Data backup and recovery in non-interactive mode

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. How to monitor KATA system health such as CPU, HDD, Memory usage, services status and etc? How to output this information？ Locally, monitoring product operation and component health can be done in KATA dashboard. CPU, memory or similar metrics can be viewed using built-in Linux tools in support mode. Available remote monitoring options are: Using SNMP Hearbeats in SIEM integration Email notifications about alerts and system health. For Sandbox component - only SSL probing option is available echo "Q" | openssl s_client -connect sandbox:443

Problem Host connected to KES Cloud Disk encryption disabled in profile Encryption error in host properties Workaround Try to create a new security profile (Create a new one, do not copy one of the current profiles) - do not modify the encryption settings in it (leave it in the disabled status), and assign affected device to it. This steps should help to fix the problem. Update: In case you encounter this with server OS, it will be fixed in KES Cloud release 24.9. Another possible cause on Windows Server OS Try to add BitLocker windows feature to all affected devices via Server Manager > Manage > Add Roles and Features. On Features section choose BitLocker Drive Encryption. Wait for several minutes. Status will become 'OK'.

Configuring KEA update task is of crucial importance. Updated KATA telemetry filters, exclusions and performance optimizations are delivered via bases. However, KEA has no transparent means to check bases version locally. The solution to this demand is to check bases version locally via CLI. KEA for Windows bases date From Elevated Command Prompt, execute: type "C:\ProgramData\Kaspersky Lab\Endpoint Agent\4.0\Bases\Current\aptem.stt" The example output is as follows, ;202209190911 Format is ;YYYYMMDDHHMM KEA for Linux (LENA) bases date Fresh installation For a fresh LENA installation that has never been updated, the bases "aptem.stt" file might be missing. From root or using sudo: sudo cat /var/opt/kaspersky/epagent/update/bases/aptem.stt Output format is the same, ;YYYYMMDDHHMM. Using built-in tools, we can easily make it in a proper way: sudo cat /var/opt/kaspersky/epagent/update/bases/aptem.stt | sed -E 's/\;([0-9]{8})([0-9]{2})([0-9]{2})/\1 \2:\3/g' | xargs -0 date -d Bonus: LENA's Last update date Lena's Last update date is stored in epoch format in /opt/kaspersky/epagent/update/last_update. Using built-in tools, we can make it human-readable: sudo cat /var/opt/kaspersky/epagent/update/last_update | xargs -0 -I% date -d \@% It is also worth mentioning that "Last update date" is relevant but it is still entirely different value than bases date. In case the bases in repository are outdated, Last Update date may be 5 minutes ago, yet bases will remain old.

Intro This instruction describes how to create an installation package (.pkg) for the MacOS operating system from the standalone installation package of Kaspersky Endpoint Security for Mac. You may need to create such a package to automate the installation of Kaspersky Endpoint Security software via third-party systems (e.g. AirWatch). Details Files Munki tool (with predefined files) Prerequisites Kaspersky Security Center MacOS machine Python must be installed Usage Create a standalone installation package for Kaspersky Endpoint Security for Mac (https://support.kaspersky.com/KSC/14/en-US/182663.htm) On a MacOS machine: Unzip the file munki-munki-pkg-e018bf1.zip to Desktop. Open Terminal and navigate to the directory munki-munki-pkg-e018bf1 cd /Users/John/Desktop/munki-munki-pkg-e018bf1 Copy the built standalone installation package (kesmac11.2.1.145.sh) to the postinstall file in the kesmac/scripts/ directory: cp kesmac11.2.1.145.sh kesmac/scripts/postinstall Modify the code of the standalone installation package with the vim editor vi kesmac/scripts/postinstall Replace the section in the file to the modified section (note that the line "#!/bin/sh" must be the first line in the file, there must be no empty lines before it): nagent/scripts/postinstall (new) #!/bin/sh logfile="/tmp/kesmac11.2.1.1450.log" wstrUnpackTempPath="${TMPDIR:-/tmp}"/"$(date '+%d.%m_%H.%M.%S.%N')" if [ -f "$logfile" ]; then rm -f "$logfile" fi ExitWithError() { echo "Clean temporary directory '$wstrUnpackTempPath'" >> $logfile rm -rf "$wstrUnpackTempPath" echo "$2" >> $logfile exit $1 } rm -rf "$wstrUnpackTempPath" mkdir "$wstrUnpackTempPath" || ExitWithError 1 "Failed to create temporary directory '$wstrUnpackTempPath': error = $?" echo "Unpack archive to '$wstrUnpackTempPath'..." >> $logfile archive_marker_line=$(grep -an '^CCFAFCA1-F619-4618-B8C1-107EF7694A0C-ARCHIVE:$' "$0" | cut -d : -f 1 | tail -1) tail -n +$((archive_marker_line + 1)) "$0" | tar -xzf - -C "$wstrUnpackTempPath" > /dev/null || ExitWithError 1 "Failed to unpack archive: error = $?" echo "Found installer..." >> $logfile wstrExecName=$(grep -o -r "--include=*.kud" "--include=*.kpd" '^Executable=.*\.sh' $wstrUnpackTempPath | sed 's/.*=//' | sed 's/.*[\\/]//') [ ! -z "$wstrExecName" ] || ExitWithError 1 "Installer not found" echo "Found parameters..." >> $logfile wstrParams=$(grep -o -r "--include=*.kud" "--include=*.kpd" '^Params=.*' $wstrUnpackTempPath | sed 's/.*=//' | sed 's/\r//') echo "Run package installer '$wstrExecName $wstrParams' ..." >> $logfile sh "$wstrUnpackTempPath/$wstrExecName" $wstrParams >> $logfile || ExitWithError $? "Installation failed: error = $?" echo "Product successfully installed!" >> $logfile ExitWithError 0 "" Add the execution bit: chmod +x kesmac/scripts/postinstall You can also change the metadata (if needed) in the nagent/build-info.plist file Change meta <key>version</key> <string>11.2.1.145</string> // version of package <key>name</key> <string>Kaspersky Endpoint Security.pkg</string> // name of package <key>identifier</key> <string>com.kaspersky.kesmac</string> // identifier of package Perform the assembly: ./munkipkg kesmac The built package will be available in the kesmac/build directory with the name <name of package from build-info.plist>.pkg Important Before installing, a configuration profile must be installed: https://support.kaspersky.com/kes11mac/settings/15647 The configuration profile contains settings that are only allowed through User Approved Mobile Device Management (UAMDM), so when you apply the configuration profile locally on the device, the error "Profile installation failure. System profile required. User profiles are not supported". To avoid the error, use the remote administration utility. When installing a .pkg built this way, MacOS may give an error that the package has been signed by an unauthorized developer. It is necessary to allow it to run in OS. The installation log will be saved to the file /tmp/kesmac11.2.1.1450.log