Advice and solutions for Kaspersky EDR Optimum Latest Topics

Correct integration/installation [EDR Optimum]

Thu, 07 Dec 2023 13:27:55 +0000

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

This article will help you to check EDRO component correct installation and integration.

What you need to know about EDRO

1 EDRO working with KES 11.7+, KSWS 11.0.1 and KSV LA 5.2 (Windows only), so called EPP

https://support.kaspersky.com/KEDR_Optimum/2.3/en-US/216855.htm

2 You must use NWC for EDRO

3 You can't use only KEA for EDRO scenario. It always integrates with EPP.

How to check that EDRO component installed correctly

First of all you need to check whether KEA component was installed or not. And if it's installed then was it integrated with EPP.

KES

Starting with KES 11.7 EDRO agent is integrated in the KES.

First of all, check component status in MMC or NWC

MMC

NWC

If you see Not supported by license, pay attention to the version. If you see 0.0.0.0 or N/A, it means that component is not installed. Not supported by license doesn't mean that there is no license for EDRO, it may mean that component is not installed on the host.

When component is installed but not activated, you'll see installed component version:

MMC

NWC

If component was installed and was not activated, it will look like this in the KES GUI:

If component is not installed, then there will be no Detection and Response section in the KES GUI (in case MDR is installed, then there will be section Detection and Response, but there will be no Endpoint Detection and Response Optimum like you see above).

How to check EDRO license in the KES UI

You can check license components in the KES GUI. If there is no Optimum word, license do not support EDRO. For example:

And there's an example when license key supports EDRO:

KSWS

During KSWS installation you must enable Endpoint Agent, even if KEA was already installed on the host. KSWS detects it and enables connector with existing KEA (KEA will not be reinstalled).

This is how correctly installed KSWS + KES looks like in the MMC:

And if it not installed:

KSV LA

There is no change components task. You can change them only during the upgrade or installation. Reinstallation requires reboot.

During installation you need to choose Custom installation and enable integration with KEA

Remember that you can enable integration in the installation package properties in the KSC.

How to check NWC setup for EDRO

What to do if there is no Alerts section in the NWC.

How it looks If there is no Alerts section in the WEB UI

Go to the settings:

And enable EDR alerts:

In the KSC NWC there will be EDRO plugin by default. It installs with the console. So the only way to reinstall it - reinstall NWC.

How detection looks without installed EDRO component

If you see detection but without enriched information, you'll see it like this:

In the Enrichment and response section you'll see only Basic. It means where was a detection but no additional information about it was collected. Main reason why this may happen is that there's no EDRO component on the host.

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Sat, 02 Dec 2023 17:55:32 +0000

The materials provided on the Advice and Solutions (Forum Knowledgebase) part of the Forum result from the work of the Kaspersky Customer Support team and Forum community members. They are shared here for ease of use of Kaspersky products, deploying and configuring them.

Please remember that using commands or recommendations from the articles without a clear understanding of their purpose may result in errors or system inoperability. Please note that some materials presented are not official, so technical support may decline to support a specific unsupported configuration in some instances.

Please also ensure to use the official documentation, found in this link.

Which KES/KSWS detections generate Incident cards [EDR Optimum]

Mon, 30 Oct 2023 17:56:45 +0000

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

You may wonder which product detection should create incident card, and which should not. Here's the answer.

Product	Component
KES	WebAV, MailAV, OAS/ODS, SystemWatcher, HIPS
KSWS	OAS, ODS, TrafficSecurity
KSV LA	WebAV, MailAV, OAS/ODS, SystemWatcher, HIPS

Preparing data to display. Please, wait... [EDR Optimum]

Mon, 30 Oct 2023 17:54:21 +0000

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Problem

Using EDR, you may encounter an issue where you're unable to view incident card regarding a detection in KSC Web Console. It looks like this:

Here we will discuss known causes of such behavior (several products are involved, so causes may be different).

Possible causes and solutions

MDR

In MDR, incidents are to be viewed using the dedicated MDR Console, and KSC version 13 and newer with configured MDR plug-in. KSC 12.* Web Console will not receive the data; this is expected behavior.

KES+KEA

If you first install KES without EA component, and then a standalone KEA package, KES EDRO integration will be disabled and killchain will not work.

Here is a quick way to determine if KEA was installed as a component of KES. Open regedit, then navigate to:

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\protected\KES\Installer\features]

"AntiAPTFeature" = "1"

If the value is 0, proceed to the workaround to enable the component as described below.

To fix this, we ran Change application components task on the host, enabling Endpoint Agent in KES.

If KES/KEA integration is configured correctly, we can find the following in KES traces:

12:08:37.426 0x2a18 INF edr_etw Start processing detect = http://www.virusanalyst.com/eicar.zip//eicar/eicar.com, recordId = 6, taskId = 1128, result = 0

12:08:37.426 0x2a18 INF edr_etw Start processing actions = http:

//www.virusanalyst.com/eicar.zip//eicar/eicar.com, action = 4, recordId = 6, taskId = 1128, edrAction = 3489660999, result = 0

12:08:37.442 0x2a18 INF edr_etw Killchain is enabled!

12:08:37.442 0x2a18 INF edr_etw SystemWatcher is running!

12:08:37.442 0x2a18 INF edr_etw product::component::edr::`anonymous-namespace'::IsSystemWatcherDetect begin

12:08:37.442 0x2a18 INF edr_etw product::component::edr::`anonymous-namespace'::IsSystemWatcherDetect end

12:08:37.442 0x2a18 INF edr_etw product::component::edr::`anonymous-namespace'::InvestigateProcessIds begin

12:08:37.442 0x2a18 INF edr_etw product::component::edr::`anonymous-namespace'::InvestigateProcessIds end

12:08:37.442 0x2a18 INF edr_etw Finish processing detect = http://www.virusanalyst.com/eicar.zip//eicar/eicar.com threat status = 1, recordId = 6, taskId = 1128,result = 0

12:08:37.458 0x1f18 INF edr_etw Finish processing AV detect result = 0

Searching for ThreatID in KEA traces:

12:08:37.426 0x2a18 INF amfcd ThreatsProcessingEventsLogic::OnTreatActionImpl: ctx:0x23d68510 [TI 0x1b8dd490: id = 0x6, : tdid = {7F620459-6C51-9E46-9A5D-689A9B0D0098}, name = http://www.virusanalyst.com/eicar.zip//eicar/eicar.com, add info: , 0x0] 0x4 0x0

KES+KEA (upgrade from KESB to EDR Optimum)

EDR Optimum requires KSC 12.1 or newer to work. This includes the Network Agent, which is a part of KSC, and is generally installed on the host alongside KES.

Using an outdated version of Network Agent (10.5, 11, etc.) will lead to the mentioned error when opening incident cards. If Network Agents were not upgraded along KSC, it's better upgrading them for EDR Optimum.

KES 11.7+

Check that EDR Optimum feature is enabled in registry (GSI > Registry > HKLM_Software_Wow6432Node_KasperskyLab.reg.txt ).

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\protected\KES\Installer\features]

EdrOptimumFeature = 1

If value is 0, run Change application components task on the host, enabling EDR Optimum in KES.

Also in traces (*.SRV.log) you can search for sentence bundles::InstalledFeaturesProvider::InstalledFeaturesProvider and check that EDROptimumFeature is there, for instance in example below such component is missing

KES.21.9.6.465_05.18_14.00_3952.SRV.log

11:00:36.897    0x26a0  INF bundles::InstalledFeaturesProvider::InstalledFeaturesProvider{ 3 (AVScannerAndCoreFeature)  28 (AdaptiveAnomaliesControlFeature)  0 (AdminKitConnectorFeature)  24 (AdvancedThreatProtectionFeature)  27 (AmsiFeature)  7 (ApplicationControlFeature)  17 (BehaviorDetectionFeature)  30 (CloudControlFeature)  4 (CriticalScanTask)  6 (DeviceControlFeature)  23 (EssentialThreatProtectionFeature)  11 (ExploitPreventionFeature)  8 (FileThreatProtectionFeature)  19 (FirewallFeature)  5 (FullScanTask)  2 (HostIntrusionPreventionFeature)  16 (MailThreatProtectionFeature)  14 (NetworkThreatProtectionFeature)  12 (RemediationEngineFeature)  25 (SecurityControlsFeature)  18 (UpdaterTask)  21 (WebControlFeature)  20 (WebThreatProtectionFeature)  22 (WholeProductFeature) }

KSWS+KEA

The same rule applies: KEA component needs to be installed in KSWS. KSWS does not have a "Change application components" task in KSC, so this has to be taken into account during KSWS deployment.

Here is a quick way to determine if KEA was installed as a component of KSWS. Open regedit, then navigate to:

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\KasperskyLab\\WSEE\11.0\Install]

"Features"="AntiCryptorNAS=0;AntiCryptor=0;AntiExploit=0;AppCtrl=0;AVProtection=0;DevCtrl=0;Fim=0;Firewall=0;ICAPProt=0;IDS=0;Ksn=0;LogInspector=0;Oas=0;Ods=0;RamDisk=0;RPCProt=0;ScriptChecker=0;Soyuz=0;WebGW=0"
(Soyuz needs to be set to 1)

If Soyuz is set to 0, apply workaround to enable it. KSWS allows to change its components locally or via cli.

Here is the example of how to set Soyuz=1 when KEA was installed not as a component of KSWS:

1. Locate ks4ws_x64.msi or ks4ws.msi (depends on OS architecture)

2. Create custom installation package based on ks4ws_x64.msi or ks4ws.msi from p.1 with parameters as per screenshot (add UNLOCK_PASSWORD= if KSWS is protected by password in policy)

3. Deploy package on problematic servers with KSWS and KEA, then check registry that Soyuz=1

4. Check host's properties at KSC side - EDRO should be in Running state in KEA

If KSWS/KEA integration is configured correctly, we can find the following in KSWS traces:

19:57:04.577 7a8 1310 info [edr] Published ThreadDetected:

VerdictName : HEUR:Win32.Generic.Suspicious.Access

RecordId : 0

DatabaseTime : 18446744073709551615

ThreatId : {ffb58079-6d8d-4a62-8ab0-021ff4ed61c5}

IsSilent : false

Technology : 3489661023

ProcessingMode : 3489660948

ObjectType : 3489660934

ObjectName : C:\Windows\System32\wbem\WmiPrvSE.exe

Md5 : e1bce838cd2695999ab34215bf94b501

Sha256 : 1d7b11c9deddad4f77e5b7f01dddda04f3747e512e0aa23d39e4226854d26ca2

UniquepProcessId: 0xf7c807730e051a0d

NativePid : 3360

CommandLine :

AmsiScanType :

AmsiScanBlob :

FileCreationTime: 1601-01-06T23:09:56.075520800Z

Searching for ThreatID in KEA traces:

19:57:05.583 704 9b0 debug [bl] ThreatsHandler: detect v2

verdictName: HEUR:Win32.Generic.Suspicious.Access

detectTechnology: 0xd000005f

processingMode: 0xd0000014

objectType: 0xd0000006

objectName: C:\Windows\System32\wbem\WmiPrvSE.exe

nativePid: 3360

uniquePid: 17854528913448180237

nativePidTelemetry: 3360

uniquePidTelemetry: 17854528913448180237

downloaderUniqueFileId:

downloadUrl:

isSilentDetect: false

threatId: ffb58079-6d8d-4a62-8ab0-021ff4ed61c5

19:57:05.583 704 650 info [evtstt] NetworkConnectionHandler statistics: queueSize=0, received=59675, processed=59675, dropped=0, queueBytes=191

19:57:05.583 704 650 info [evtstt] NetworkConnectionHandler statistics: queueSize=0, received=59676, processed=59676, dropped=0, queueBytes=132

19:57:05.583 704 650 info [evtstt] NetworkConnectionHandler statistics: queueSize=0, received=59677, processed=59677, dropped=0, queueBytes=371

19:57:05.583 704 9b0 debug [bl] Threats Handler: event processed, id = 2

19:57:05.584 704 1fc debug [killchain] Message discarded: name = ThreatDetect

The verdict is Message discarded, this means the detection won't trigger killchain generation.

No such entries can be found in traces, which might mean that EPP integration is not configured correctly (EDR component is disabled in KSWS).

Check killchain presence on the host

If all pre-requisites are met, it's worth checking if killchain files are actually created on the host. To check that, run cmd.exe as Administrator and check the c:\ProgramData\Kaspersky Lab\Endpoint Agent\4.0\Data\killchain\detects folder contents. Archives with .zip names should be present in the folder:

C:\WINDOWS\system32>dir "c:\ProgramData\Kaspersky Lab\Endpoint Agent\4.0\Data\killchain\detects"

Volume in drive C has no label.

Volume Serial Number is 8010-ADC0

Directory of c:\ProgramData\Kaspersky Lab\Endpoint Agent\4.0\Data\killchain\detects

08/16/2021 12:20 PM .

08/16/2021 12:20 PM ..

08/16/2021 09:34 AM 636 0349c190-4ac3-4da4-9b64-07835298660f.zip //this is an archive with killchain info

08/16/2021 12:18 PM 696 1d306aa7-f37f-4ab2-969e-d337d398a995.zip

08/16/2021 09:34 AM 637 23a5dc93-5776-43c8-b949-79c102aa1184.zip

08/16/2021 12:19 PM 691 27bc9ea3-200b-49d2-b8b0-df7954cd428a.zip

08/16/2021 12:19 PM 683 40673c70-9e8e-420f-b5ce-65b406862b94.zip

08/16/2021 12:19 PM 688 590b6e30-4509-4b25-bdb0-062f89b7e062.zip

08/16/2021 12:20 PM 693 67993612-dc82-45a2-9e5b-74756adc46eb.zip

08/16/2021 12:20 PM 685 6a892bd1-f452-42d0-80b0-cb953cd7fc26.zip

08/16/2021 12:19 PM 686 a63fbafa-fcef-46f7-935f-42be4392a172.zip

08/16/2021 12:19 PM 699 d9d4f5eb-42b2-4460-8f8a-eb63bbef8791.zip

08/16/2021 12:19 PM 686 f6042624-9840-4a6e-9b30-9270cce22236.zip

11 File(s) 7,480 bytes

2 Dir(s) 240,763,092,992 bytes free