All Activity

Description and cautions One may need to change the admin account's password (the account used for SSH login). KATA 5.0 For KATA 5.0 this article is not applicable. No option to change Local Administrator/ Cluster Administrator in pseudo-graphic menu available by default in 5.0 See https://forum.kaspersky.com/topic/how-to-reset-kata-web-administrator-password-in-kata-50-katakedre-36844/ Details In case of standalone Central node: Login to the web-interface of the CN. Enter admin credentials (used for SSH login). Go to admin account > change password as per below In case of Distributed deployment (PCN and SCN): Login to the web-interface of PCN. Enter admin credentials (used for SSH login). Go to admin account -> change password Login to SCN via SSH and change using the pseudographic menu ("Change cluster admin password..." option)

The KESMac 12 and the KESMac 11.3 patch C allows adding particular processes into the trusted section named Trusted Applications. The both filesystem and network activity of which can be ignored by the product increasing performance. Please, however, note that this could be potentially risky. https://support.kaspersky.com/KESMac/11.3_adminguide/en-US/194142.htm Problem This article will describe a few ways to configure KES for Mac to exclude some of the software from the scope of the product. Solution Trusted applications In order to have an ability to exсlude an application from scanning with KES, a function of Trusted Applications available in Kaspersky Endpoint Security for Mac can be used: The Trusted applications section as seen in the policy creation wizard. Naturally, it can be configured later by modifying the policy. Update the plugin to at least version 11.3.0.33 to get the new functionality. In some specific cases it might be required to put several binaries to Trusted Applications simultaneously in order to take effect. So, a final solution might include several path-based exclusions accompanied by a few BundleID-based ones. Trusted Applications are only available for configuration via KSC policy; i.e. it is currently impossible to add application to exclusions having no KSC installed. Additionally, an appropriate application control plug-in for KESMac must be downloaded and installed on the KSC prior to using Trusted Application functionality. It can be found on the corresponding download page. Common exclusions for developers It's suggested excluding the following paths: "/Library/Developer/CommandLineTools" and "/Library/Toolchains" for the standard developers' utilities, as well as the "/Applications/Xcode.app/*" for the XCode. At the same time, in case you use alternative tools, contact Kaspersky Support to get the exact paths for further exclusions. Excluding TCP 443 from port monitoring Additionally, in case of HTTPS-connectivity issues, unchecking port 443 in Monitored ports may also help:

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem Description, Symptoms & Impact KES File Threat Protection sometimes can't check Microsoft office documents from mounted Google Drive shares, therefore generating Processing error events. This issue is caused by an incompatibility between Google Drive VFS driver and KES. There are no plans on making KES compatible with Google Drive. Workaround & Solution As a workaround, add files with Office extensions stored on the share to exclusions, this shouldn't lower protection, because Office creates a temporary copy of a document when it is opened, which will not be in the exclusion scope and will still be checked. Example for .xlsx files: Path\to\google\drive\folder\*.xlsx, where Path\to\google\drive\folder is replaced with an actual path.

This article will help you to check EDRO component correct installation and integration. What you need to know about EDRO 1 EDRO working with KES 11.7+, KSWS 11.0.1 and KSV LA 5.2 (Windows only), so called EPP https://support.kaspersky.com/KEDR_Optimum/2.3/en-US/216855.htm 2 You must use NWC for EDRO 3 You can't use only KEA for EDRO scenario. It always integrates with EPP. How to check that EDRO component installed correctly First of all you need to check whether KEA component was installed or not. And if it's installed then was it integrated with EPP. KES Starting with KES 11.7 EDRO agent is integrated in the KES. First of all, check component status in MMC or NWC MMC NWC If you see Not supported by license, pay attention to the version. If you see 0.0.0.0 or N/A, it means that component is not installed. Not supported by license doesn't mean that there is no license for EDRO, it may mean that component is not installed on the host. When component is installed but not activated, you'll see installed component version: MMC NWC If component was installed and was not activated, it will look like this in the KES GUI: If component is not installed, then there will be no Detection and Response section in the KES GUI (in case MDR is installed, then there will be section Detection and Response, but there will be no Endpoint Detection and Response Optimum like you see above). How to check EDRO license in the KES UI You can check license components in the KES GUI. If there is no Optimum word, license do not support EDRO. For example: And there's an example when license key supports EDRO: KSWS During KSWS installation you must enable Endpoint Agent, even if KEA was already installed on the host. KSWS detects it and enables connector with existing KEA (KEA will not be reinstalled). This is how correctly installed KSWS + KES looks like in the MMC: And if it not installed: KSV LA There is no change components task. You can change them only during the upgrade or installation. Reinstallation requires reboot. During installation you need to choose Custom installation and enable integration with KEA Remember that you can enable integration in the installation package properties in the KSC. How to check NWC setup for EDRO What to do if there is no Alerts section in the NWC. How it looks If there is no Alerts section in the WEB UI Go to the settings: And enable EDR alerts: In the KSC NWC there will be EDRO plugin by default. It installs with the console. So the only way to reinstall it - reinstall NWC. How detection looks without installed EDRO component If you see detection but without enriched information, you'll see it like this: In the Enrichment and response section you'll see only Basic. It means where was a detection but no additional information about it was collected. Main reason why this may happen is that there's no EDRO component on the host.

Step-by-step guide You need a Mac device to collect iOS device log via Apple Configurator. Download Apple configurator via App Store. Run Apple Configurator. Connect your iOS device. Unlock the device and tap Trust. Open the iOS device → Console. Reproduce the issue. Save the log in Apple configurator. Try to save the log as soon as possible after you reproduce the issue, because the log is constantly being overwritten. Send the collected log file to Kaspersky support for further analysis.

Problem Description, Symptoms & Impact Sometimes an error might occur when installing KSE: KseCheckServicePortIsFreeActionStep has completed with an error: Service network port 13100 is occupied by another application… Diagnostics Screenshot or KSEInfoCollector. Make sure that port 13100 is open and not used by any application, and repeat the installation. This can be done using the command below. You will see a chart with a process ID (PID column) next to the address and port: netstat -aon | findstr 13100 You can then find this process by the ID in Task Manager or using the command below. Use the process ID you found in the previous command instead of the %PID% below: tasklist /fi "pid eq %PID%" Example tasklist /fi "pid eq 18060" Workaround & Solution There's no way to change the port used by KSE. So, the only option here is to free the port used by an application and repeat the installation. Sometimes ISS or W3WP.exe might be using the port. In some cases, this port is occupied after the Exchange updates, and the port should be released after the server restart. RCA Some application is using the port 13100.

Problem In previous versions of KATA it was possible to mount an NFS share to copy backups to. In KATA 5.x only CIFS share mounts are available out-of the box. Error root@1.srv.node1.node.dyn.kata:/home/admin# mount -t nfs 10.225.62.41:/mnt/NFS/KXDR /mnt/nfs mount: /mnt/nfs: bad option; for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount.<type> helper program. Solution Install packages manually via dpkg in the following order to add NFS support: dpkg -i /home/admin/libtirpc-common_1.2.5-1_all.deb dpkg -i /home/admin/libtirpc3_1.2.5-1_amd64.deb dpkg -i /home/admin/keyutils_1.6-6ubuntu1_amd64.deb dpkg -i /home/admin/libnfsidmap2_0.25-5.1ubuntu1_amd64.deb dpkg -i /home/admin/rpcbind_1.2.5-8_amd64.deb dpkg -i /home/admin/nfs-common_1.3.4-2.5ubuntu3.5_amd64.deb

Problem description: After generating the client certificate on central node and upload it to KES policy, you can get the below error: Enter a crypto-container password to use the certificate. Note: If you are using KEA as a standalone product with KEA policy, you can upload the client certificate properly. Root cause: By default, the cryptographic container is not password-protected. The cryptographic container contains only the certificate file, but not the private key file. KES policy does not apply certificate without password (only KEA does). Solution: Access the central node SSH under root account 1) Export you current certificate to a passwordless pem type: #openssl pkcs12 -in mycert.pfx -out tmpmycert.pem -nodes Enter Import Password: <Enter no password> MAC verified OK 2) Convert the passwordless pem to a new pfx file with password: #openssl pkcs12 -export -out mycert2.pfx -in tmpmycert.pem Enter Export Password: <Enter password here> Verifying - Enter Export Password: <Enter password here> Now you can use the new mycert2.pfx file with your new password.

То есть все-таки это периодическое уведомление в продукте. Которое невозможно навсегда отключить.

Problem While WTP/NTP is enabled, nft utility produces errors (stderr) like # nft list ruleset XT target TPROXY not found XT target TPROXY not found XT target TPROXY not found XT target TPROXY not found These errors are caused by a bug in nft utility and xt_TPROXY dynamic library. This effect does not indicate functionality issues. This bug may be reported to netfilter.org developers. Explanation Whenever nft utility lists traffic rules, it dynamically loads extension libraries (for example, from /usr/lib/x86_64-linux-gnu/xtables in Debian OS) including TPROXY and CONNMARK. When nft encounters first ipv4 rule, it sets global "family=ipv4" state via xtables_set_nfproto function, then loads libxt_TPROXY.so which has both ipv4 and ipv6 targets, but ipv6 are ignored due to the flag. After that, nft processes ipv6 rules but there are no ipv6 targets for them. As a result, nft utility produces errors "XT target TPROXY not found".

Issue: Some log files in KWTS take up a lot of disk space. Log rotation for these files does not work For example: Information Information about logs sizing and rotation you can find in files in /etc/logrotate.d folder on the KWTS server. The size of log files should be no more than: Log file In what file it described Size of a log file should be no more than: All files in /var/log/kaspersky/kwts/extra/ /etc/logrotate.d/kwts 100 MB /var/log/kwts-messages /etc/logrotate.d/kwts-syslog 500 MB /var/log/kwts-important /etc/logrotate.d/kwts-syslog 50 MB /var/log/kwts-traces /etc/logrotate.d/kwts-syslog 500 MB /var/log/nginx/access.log /etc/logrotate.d/nginx 100 MB /var/log/nginx/error.log /etc/logrotate.d/nginx 20 MB /var/log/squid/icap.log /etc/logrotate.d/squid 100 MB /var/log/squid/ssl.log /etc/logrotate.d/squid 100 MB /var/log/squid/squid.out /etc/logrotate.d/squid 10 MB /var/log/squid/cache.log /etc/logrotate.d/squid 500 MB /var/log/squid/access.log /etc/logrotate.d/squid 500 MB /var/log/messages /etc/logrotate.d/syslog 100 MB /var/log/cron /etc/logrotate.d/syslog 10 MB /var/log/maillog /etc/logrotate.d/syslog 10 MB /var/log/secure /etc/logrotate.d/syslog 20 MB /var/log/spooler /etc/logrotate.d/syslog 1MB How to fix Actual result kwts-traces log-file has frown to 4 GB: Expected result kwts-traces file no more than 500 mb How to fix Be prepared that you will need to reboot the server and it will not process traffic while it is rebooting. And you need ssh-access to the KWTS server - https://support.kaspersky.com/KWTS/6.1/en-US/183526.htm Make sure that trace lever is in "Error" mode - https://support.kaspersky.com/KWTS/6.1/en-US/174877.htm Delete the largest log-files (in our case it is /var/log/kwts-traces) . If you need to clear additional disk space, you can delete large archive files if you are sure that you do not need the information in them Reboot the KWTS server and make sure that the deleted large files (/var/log/kwts-traces) are recreated Find out in table above in what file we can find information about kwts-traces rotation . It is kwts-syslog Execute following command logrotate -f -v /etc/logrotate.d/kwts-syslog &> logrotatef.log Make sure that all log-files which described in /etc/logrotate.d/kwts-syslog file were rotated. (You can see which log files are described in this file in the table above) What's next Kindly monitor that previously broken files (kwts-traces) do not exceed 500-600 MB. If it continues to grow and is already 700 MB or more, then run the command /usr/sbin/logrotate -v -s /var/lib/logrotate/logrotate.status /etc/logrotate.conf &> logrotatestatus.log And send logrotatef.log file from step 6 and logrotatestatus.log file to Kaspersky Support. And also send diagnostic info in "Debug" level. Do not forget to change it back to "Error" level - https://support.kaspersky.com/KWTS/6.1/en-US/174877.htm

Problem Description, Symptoms & Impact The problem persists over different browsers, incognito mode and computers. The training status is "In Progress". The number of problematic users is small usually limited to 1-5. Diagnostics The issue usually presents itself on the student's (not admin's) side as a grey (non-active) button or a page that is not loading completely. Workaround & Solution Clear the cache and cookies in the browser. Pause the training for the problematic user and then restart the training.

Problem Description, Symptoms & Impact In KES 12.0, the way Device Control component works has been changed. See changelog: https://support.kaspersky.com/help/KESWin/12.0/en-US/127969.htm Due to these changes, you may notice that printing order becomes slow after you have upgraded KES to version 12.0 or higher. This delay may be around 30-60s or even 10-15 minutes. When you disable KES, it becomes instant. In some exceptional cases, the delay may be so big that it's impossible to print anything and the system hangs. The issue affects both local printers and network printers. Diagnostics First of all, test if the issue persists with Device Control component disabled. If it does, move any device to a separate group for testing, create a new default KES policy there and check if the issue persists on default policy or not. If everything is fine under default policy, this is a clear sign that something is wrong with your configuration. Additionally, try latest PF for KES and check if the issue persists on it. There are some optimizations there that fix some Device Control issues and it can improve the performance, but if the issue is in the policy configuration, it won't help much. Workaround & Solution Troubleshooting steps: Select a host for troubleshooting and move it to a test group Install latest pf on it and reboot check the situation Check if the issue is caused by Device Control component and if the issue persists if this component is disabled Check if the issue persists under main policy and under default policy Check policy configuration and check how many devices have been added to Trusted Devices list. If there are several hundred entries or more, try to find a way to reduce their amount. Please see this public article for more details: https://support.kaspersky.com/KESWin/12.1/en-US/38595.htm It states "it is not recommended to add more than 1000 trusted devices, as this can cause system instability." To reduce the list of trusted devices, you can use wildcard * for the same type of printer.

In NAgent 15, klmover was updated and now requires NAgent uninstallation password, if it is set in NAgent's policy. Right now the password can't be passed to klmover as an argument, but it can be supplied via echo: echo <password>|klmover -address <administration server ip> Because cmd doesn't parse quotes and spaces in echo properly, if klmover is started from cmd and the password contains characters requiring quotes, klmover should be run from powershell. Powerhell has a Start-Process command that allows to run a process as a different user, in this case it can be used in a batch script like this: cd "C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\" powershell -Command "Start-Process powershell '-Command echo <password>|.\klmover.exe -address <address>' -Verb RunAs" But if it is run as a scheduled task in a group policy, it would be better to set the task to run as a user with administrator privileges and set it to run with highest privileges. Previous NAgent klmover versions are not compatible with NAgent 15.

Problem Description, Symptoms & Impact Network security assessment tools detect multiple vulnerabilities in the SVMs. Workaround & Solution Below is a list of detected vulnerabilities and solutions or reasons why it can't be fixed. Open ports SVMs have ports 22 and 80 open for communication with the Deployment Wizard and providing updates to Light Agents respectively. They are hardcoded, and therefore can't be changed or closed without at least partially breaking functionality of the product. Browsable Web Directories SVMs use them to share updates with Light Agents, and Light Agents need to be able to check for updates. This is not a problem as there are only read-only Light Agent updates available there. Weak SSH encryption By default SVMs use weak ssh key exchange algorithms. To fix that without losing ability to configure the SVM via Deployment Wizard, add the following in /etc/ssh/sshd_config on SVMs: KexAlgorithms diffie-hellman-group-exchange-sha256

Scenario After the deployment of KSC in the environment, the Backup task fails with the following error using the KSC Backup task or klbackup utility (screenshot is below). All the permissions were correctly assigned on the shared folder, and ports were opened, but still the backup was failing. There were no blocking events in the Firewall traffic logs. Error -1963 ('Database connection is broken " 'Connection failure{08S01};' LastStataement='select type from sys.system_object where name = 'dsm_os_host_info';'" Root cause The issue was identified to be the IPS module of the Firewall (Fortinet/Paloalto) in the environment. When the backup task was initiated, the IPS module was blocking the SQL backup query with "SMB Injection/Attack" signatures. Solution Disable the IPS policy on the Firewall for KSC and MS SQL servers and the backup task will be completed successfully.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. This article is about Kaspersky Endpoint Security for Windows (KES for Windows) The complete encryption procedure is as follows: 1. During authentication, a private key is generated based on the username and password 2. The private key is used to decrypt the user’s storage and extract the primary key 3. The primary key is checked against the identifier specified in the file header. If it matches, the file encryption key is extracted from the header. 4. The file contents are decrypted using the key obtained in the previous step. The operating system generates private key for file decryption based on the authentication credentials. Until you log in to the system, only the encrypted versions of files can be accessed, so their contents are unreadable. KES uses several types of keys to handle encrypted files: — Administration Server's public key is stored in the Network Agent distribution package and gets on the client computer when protection is deployed. — User’s private key is generated by the operating system based on the username and password. Private keys are not saved to the hard drive. The key stays the same if the account credentials remain the same. However, a new key is generated if the user or password changes. — Primary key is created on the client computer when FLE is enabled. This key is used to encrypt all files. A copy of the primary key is saved in the computer's key storage, which in turn is encrypted using the KSC's public key. It is also saved in all active users' key storages, which are encrypted using their private keys. Thus, after authentication, any user can decrypt his or her storage and access the primary key. — File encryption keys: a separate key is generated to encrypt each file When a file is encrypted, its name and other external attributes are not changed.

Problem Description, Symptoms & Impact The installation of the Network Agent isn't possible on a device because of the error System error 0x1F (A device attached to the system is not functioning.) Diagnostics In the MSI Log and Application Eventlog can be found the following line: (1192/0x0 ("System container 'LOC-PUB-6EEB50F8D2EB46029DB4CCB77E0DA651' is corrupt") Workaround & Solution The issue comes from a corrupt cryptostorage in the OS. It's not a KL related issue, although there is a possible solution to fix it. On the problem host launch cmd.exe with administrative privileges Run klcryptstgclean.exe: klcryptstgclean -tl 4 -tf $klcryptstgclean_trace.txt -l klcryptstgclean.log Try to install NAgent. If it doesn't help, perform actions from the Cryptostorage-1.docx file. If installation fails again, send to Kaspersky Support the following files: "$klcryptstgclean_trace.txt", "klcryptstgclean.log", new GSI with klnagent installation logs. It is not KSC and klnagent related issue. It is OS related issue. If workaround doesn't help, try sfc /scannow command, OS restore, OS reinstallation or contact MS support.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Product: Any KSC version Problem Description, Symptoms & Impact Network Agent local installation errors: "Setup Wizard cannot process the command line", "Setup wizard cannot process the internal error." Diagnostics Error can be found on the screenshots or in the installation log. Workaround & Solution Some leftover registry records should be deleted, but there are too many different cases to describe them all. Collect detailed information about the error, GSI (https://support.kaspersky.com/common/diagnostics/3632) with Windows Event Log and following registry hives export, and create a case in https://companyaccount.kaspersky.com for further investigation by Kaspersky Experts. Registry hives to export: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\ HKEY_CLASSES_ROOT\Installer\Products This article describes how to export registry keys: https://support.kaspersky.com/common/diagnostics/8576#block2 RCA Leftovers of previously installed Network Agent.

Description and cautions This article describes how to install a patch on multiple SVMs at once via Kaspersky Security Center. Details Create an installation package from a .kud file included with the patch Advanced → Remote installation → Installation packages → Create installation package Choose Create an installation package for a Kaspersky application Choose a name for the package Select the .kud file in the file picker Create a remote installation task for that package Select the installation package → Install application If there is a separate group for SVMs, choose Install on a group of managed devices, otherwise choose Select devices for installation Select the administration group/devices to install the patch on Use default installation settings Choose Do not place license key in installation package Choose No account required Start patch installation

General information Kaspersky Web Traffic Security does not have a regular function of integration with external services via the ICAP protocol, however, it can be added by manually changing the configuration files of the built-in proxy server from the technical support mode. Important: ICAP integration works in synchronous mode - data transfer is suspended until the ICAP server processes the request. This may introduce additional delays in the processing of user traffic, thus reducing the performance of the proxy server. The external ICAP service must be able to process a sufficient number of concurrent requests and be designed for the target load according to the manufacturer's recommendations. Integration options Below are several configuration options depending on which data streams you want to pass through an external ICAP service. To reduce the load, additional filtering of requests using ACL rules is possible. The configuration fragment for the selected integration option must be added to the built-in proxy server configuration file template according to the instructions at the end of the article. In the examples, the chain of ICAP services is built in such a way that first the request is sent to an external ICAP, and secondly it is checked against KWTS. If necessary, the order can be changed by changing the adaptation_service_chain directive accordingly. The address of the ICAP service and the method of interaction with it are determined by the icap_service directive: icap_service is_ext_req reqmod_precache bypass=0 icap://IPADDRESS:PORT/PATH bypass - determines how the proxy server will behave when the service is unavailable: bypass=0 - the service is required and if it is unavailable, the user will see an error instead of the requested page bypass=1 - if the service is unavailable, it will be skipped icap://IPADDRESS:PORT/PATH - ICAP service address: IPADDRESS - service IP address (domain name cannot be specified) PORT - TCP port number PATH - path to the service (check the value in the documentation for the service) Option 1. Sending only HTTP requests to external ICAP (REQMOD stream) The option of sending only HTTP requests to an external ICAP service can be used when integrating with external DLP systems (for example, Infowatch Traffic Monitor). Transferring all HTTP requests to an external ICAP service icap_service is_ext_req reqmod_precache bypass=0 icap://IPADDRESS:PORT/REQMODPATH adaptation_service_chain is_req_chain is_ext_req is_kav_req adaptation_access is_req_chain allow all Transfering HTTP requests to an external ICAP service with POST and PUT methods only icap_service is_ext_req reqmod_precache bypass=0 icap://IPADDRESS:PORT/REQMODPATH adaptation_service_chain is_req_chain is_ext_req is_kav_req acl acl_inspect_methods method POST PUT adaptation_access is_req_chain deny !acl_inspect_methods adaptation_access is_req_chain allow all Similar to previous point + additional filter - do not send requests from certain accounts (username starts with svc_) icap_service is_ext_req reqmod_precache bypass=0 icap://IPADDRESS:PORT/REQMODPATH adaptation_service_chain is_req_chain is_ext_req is_kav_req acl acl_inspect_methods method POST PUT adaptation_access is_req_chain deny !acl_inspect_methods acl acl_bypass_users proxy_auth_regex -i svc_.* adaptation_access is_req_chain deny acl_bypass_users adaptation_access is_req_chain allow all Similar to option 1 point 2 + additional filter - do not send requests when accessing certain URLs from the /etc/squid/bypass_urls.txt file icap_service is_ext_req reqmod_precache bypass=0 icap://IPADDRESS:PORT/REQMODPATH adaptation_service_chain is_req_chain is_ext_req is_kav_req acl acl_inspect_methods method POST PUT adaptation_access is_req_chain deny !acl_inspect_methods acl acl_bypass_urls url_regex "/etc/squid/bypass_urls.txt" adaptation_access is_req_chain deny acl_bypass_urls adaptation_access is_req_chain allow all Option 2: Send only HTTP responses to external ICAP (RESPMOD stream) The option of sending only HTTP requests to an external ICAP service can be used when integrating with external incoming traffic analysis systems, such as Kaspersky Anti Targeted Attack Platform. Sending all HTTP responses to an external ICAP service icap_service is_ext_resp respmod_precache bypass=0 icap://IPADDRESS:PORT/RESPMODPATH adaptation_service_chain is_resp_chain is_ext_resp is_kav_resp adaptation_access is_resp_chain allow all Similar to previous point + additional filter - do not send requests from certain accounts (username starts with svc_) icap_service is_ext_resp respmod_precache bypass=0 icap://IPADDRESS:PORT/RESPMODPATH adaptation_service_chain is_resp_chain is_ext_resp is_kav_resp acl acl_bypass_users proxy_auth_regex -i svc_.* adaptation_access is_resp_chain deny acl_bypass_users adaptation_access is_resp_chain allow all Similar to option 2 point 1 + additional filter - do not send requests when accessing certain URLs from the /etc/squid/bypass_urls.txt file icap_service is_ext_resp respmod_precache bypass=0 icap://IPADDRESS:PORT/RESPMODPATH adaptation_service_chain is_resp_chain is_ext_resp is_kav_resp acl acl_bypass_urls url_regex "/etc/squid/bypass_urls.txt" adaptation_access is_resp_chain deny acl_bypass_urls adaptation_access is_resp_chain allow all Option 3. Sending both HTTP requests and HTTP responses to external ICAP (REQMOD and RESPMOD streams) The option of sending HTTP requests/responses to an external ICAP can be used when integrating with external web traffic analysis systems that require both data streams, or when combining two external services according to options 1 and 2. Transferring all HTTP requests/responses to an external ICAP service icap_service is_ext_req reqmod_precache bypass=0 icap://IPADDRESS:PORT/REQMODPATH icap_service is_ext_resp respmod_precache bypass=0 icap://IPADDRESS:PORT/RESPMODPATH adaptation_service_chain is_req_chain is_ext_req is_kav_req adaptation_service_chain is_resp_chain is_ext_resp is_kav_resp adaptation_access is_req_chain allow all adaptation_access is_resp_chain allow all Similar to previous point + additional filter - do not send requests from certain accounts (username starts with svc_) icap_service is_ext_req reqmod_precache bypass=0 icap://IPADDRESS:PORT/REQMODPATH icap_service is_ext_resp respmod_precache bypass=0 icap://IPADDRESS:PORT/RESPMODPATH adaptation_service_chain is_req_chain is_ext_req is_kav_req adaptation_service_chain is_resp_chain is_ext_resp is_kav_resp acl acl_bypass_users proxy_auth_regex -i svc_.* adaptation_access is_req_chain deny acl_bypass_users adaptation_access is_resp_chain deny acl_bypass_users adaptation_access is_req_chain allow all adaptation_access is_resp_chain allow all Similar to option 3 point 1 + additional filter - do not send requests when accessing certain URLs from the /etc/squid/bypass_urls.txt file icap_service is_ext_req reqmod_precache bypass=0 icap://IPADDRESS:PORT/REQMODPATH icap_service is_ext_resp respmod_precache bypass=0 icap://IPADDRESS:PORT/RESPMODPATH adaptation_service_chain is_req_chain is_ext_req is_kav_req adaptation_service_chain is_resp_chain is_ext_resp is_kav_resp acl acl_bypass_urls url_regex "/etc/squid/bypass_urls.txt" adaptation_access is_req_chain deny acl_bypass_urls adaptation_access is_resp_chain deny acl_bypass_urls adaptation_access is_req_chain allow all adaptation_access is_resp_chain allow all Making changes to the built-in proxy server configuration The option of sending only HTTP requests to an external ICAP service can be used when integrating with external incoming traffic analysis systems, such as Kaspersky Anti Targeted Attack Platform. Connect to the cluster node via SSH to access the technical support mode. If the selected configuration option requires an external file with access lists (for example, bypass_urls.txt for options 1.4, 2.3, 3.3), place it in the /etc/squid directory. This must be done before any changes are made to the built-in proxy configuration template. Change to the directory where the built-in proxy configuration file templates are located: cd /opt/kaspersky/kwts-appliance-addon/share/templates Make a backup copy of the squid.conf.template file if you haven't already: cp -p squid.conf.template squid.conf.template.backup Open the squid.conf.template file for editing using a text editor: vim squid.conf.template Go to the end of the file, paste the configuration fragment for integration with an external ICAP service in the place indicated below (existing lines are marked in black, they do not need to be modified in any way, green is the lines to be added) adaptation_send_client_ip on adaptation_send_username on icap_enable on icap_service is_kav_req reqmod_precache icap://127.0.0.1:1344/av/reqmod icap_service is_kav_resp respmod_precache icap://127.0.0.1:1344/av/respmod ### --> put your external ICAP configuration here <-- ### adaptation_access is_kav_req allow all adaptation_access is_kav_resp allow all icap_service_failure_limit -1 An example of inserting a configuration fragment (for option 1.2): adaptation_send_client_ip on adaptation_send_username on icap_enable on icap_service is_kav_req reqmod_precache icap://127.0.0.1:1344/av/reqmod icap_service is_kav_resp respmod_precache icap://127.0.0.1:1344/av/respmod ### External ICAP configuration begin ### icap_service is_ext_req reqmod_precache bypass=0 icap://x.x.x.x/reqmod adaptation_service_chain is_req_chain is_ext_req is_kav_req acl acl_inspect_methods method POST PUT adaptation_access is_req_chain deny !acl_inspect_methods adaptation_access is_req_chain allow all ### External ICAP configuration end ### adaptation_access is_kav_req allow all adaptation_access is_kav_resp allow all icap_service_failure_limit -1 Save changes to squid.conf.template In order for the changes in the template to be applied, change some setting of the built-in proxy server through the web interface. For example, you can turn off logging (Settings - Built-in proxy server - Log), save the changes, and then return the previous value back. Check that the changes have made their way into the main configuration file of the built-in proxy server: less /etc/squid/squid.conf Check the status of the squid service, it should be running: systemctl status squid This completes the procedure. The described actions must be repeated on each node of the Kaspersky Web Traffic Security cluster.

Issue In KATA 4.1, when Central Node was used as Sensor, it was possible to access Traffic Capture and disable protocol, e.g SMTP. CN-Sensor - https://support.kaspersky.com/help/KATA/4.1/en-US/199500.htm Standalone Sensor - https://support.kaspersky.com/help/KATA/4.1/en-US/199500_1.htm In KATA 5.0, this possibility is missing from docs and from CN and only available on Standalone Sensor: Solution Workaround is to use CLI and access predecessor configuration directly: Settings section #console-settings-updater get /kata/configuration/product/preprocessor_span | python3 -m json.tool | grep \"traffic\" -A 23 "traffic": { "buffer_size_limit": 4096, "checksum_validation": false, "enable": true, "enable_dns": true, "enable_ftp": true, "enable_http": true, "enable_smtp": false, "enable_ssl": true, "ftp_data_expired_timeout": "PT60S", "ftp_data_supposed_max_size_bytes": 10485760, "iface_groups": [ { "ifaces": [ "ens192" ], "core_id": null } ], "pcap_filter": "", "pcap_snaplen": 1600, "pcap_timeout": 10, "tcp_threads_number": 16 }, Example disable SMTP, enable the rest #console-settings-updater set --merge /kata/configuration/product/preprocessor_span '{"traffic": {"enable_dns": true, "enable_ftp": true, "enable_http": true, "enable_smtp": false}}' Example change #console-settings-updater get /kata/configuration/product/preprocessor_span | python3 -m json.tool > /tmp/preprocessor_span.json #vim /tmp/preprocessor_span.json #console-settings-updater set /kata/configuration/product/preprocessor_span @/tmp/preprocessor_span.json

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Product: KSC 11 and more recent versions Consider the following problematic scenario: You use a caching proxy server to download updates for the KSC Server, for example, Squid. KSC is configured to download updates via https (default config). $up2date-1103-eka.log analysis KL uses the HTTP public key pinning mechanism to verify update server authenticity; a certificate used for authentication is self-signed by KL. A certificate revocation list is also implemented. More information about the certification revocation process is available here: https://learn.microsoft.com/en-us/archive/blogs/ieinternals/understanding-certificate-revocation-checks https://technet.microsoft.com/en-us/library/ee619754(WS.10).aspx A recent update of CRL was performed at the end of July 2023. CRL is available on this link: http://crl.kaspersky.com/cdp/KasperskyLabPublicServicesRootCertificationAuthority.crl Old CLR was valid till 23.7.2023 and is expired now. When KSC requests the CRL file, the proxy server sends back to KSC the cached version of it and the CRL verification fails. The details can be found in the $up2date-1103-eka.log to identify the issue precisely. 04:01:48.817 0x326c INF httpcli cert_revoke 0x70e2908 Got error: 0xa0010019 (http_client::eCrlHasExpired) 04:01:48.817 0x326c INF httpcli Req 0x70e2908 <- HttpsErrorOccurs: Revocation Error [0xa0010019 (http_client::eCrlHasExpired) 04:01:48.892 0x1d0c INF updater core: ========= Downloading primary index result TLS error ========= Troubleshooting steps To solve the problem, an administrator of the proxy server should turn off caching of the http://crl.kaspersky.com/cdp/KasperskyLabPublicServicesRootCertificationAuthority.crl file. It is recommended to turn off caching for all files downloaded from public update servers using this mask: *.kaspersky.com *.kaspersky-labs.com An alternative workaround: Set a server flag for KSC using the following commands: klscflag.exe -fset -pv klserver -s Updater -n DisableKLHttps -t d -v 1 Also, set a server flag for Update Agents (Distribution Points) that get updates from the Internet, if any: klscflag.exe -fset -pv klnagent -s Updater -n DisableKLHttps -t d -v 1 Explicitly set an update task to use HTTP sources for URLs, for example, http://p00.upd.kaspersky.com. The full list of HTTP-enabled sources can be found in the <insecure_sites_list> parameter at http://dnl-05.geo.kaspersky.com/updates/upd/updcfg2.xml

Видимо, речь об этой теме. Судя по ответам, вопрос у разработчика AG больше по самому уведомлению, которое не скрывается и периодически о себе напоминает, чем по существу несовместимости.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials. Problem Description, Symptoms & Impact It is not possible to use a proxy server for KATA 5.0 and/or KATA 5.1 CN on TCP ports 8080, 8090 or 8091. If you will configure in KATA 5.0/5.1 proxy server connection settings using one of those ports, then such configuration will result in KATA update task failure and KSN connection errors right after those settings will be applied. This happens due to the fact, that KATA uses ports 8080, 8090 and 8091 for it's internal services and there are preconfigured default iptable rules that prevent incoming and outgoing connection on those ports for external hosts outside of the KATA cluster, which in turn results in connection errors if those ports are also used by the product for outgoing connections to a proxy server. Diagnostics It can be easily confirmed if a KATA server will be facing those updater and KSN issues, by either checking the current proxy server configuration in the product's web interface: if either of the listed ports 8080, 8090 or 8091 is used, then the KATA server is probably facing the issue. Or alternatively you can run the iptables -nvL DOCKER-USER command and check if the number of the rejected packages in the corresponding rules for ports 8080, 8090 and 8091 steadily increases upon running update task in KATA: Workaround & Solution To avoid this issue use one of the following 2 options: Do not use proxy server for KATA connections, configure direct internet connection for KATA CN nodes. Use a proxy server on a different port, for example port 3128 is quite standard option in such cases.