We have received a suspicious phishing email targeting our users through our mail system.

We are currently using Kaspersky Gateway Security with a valid license and would like your assistance in investigating this incident and applying a permanent protection solution.

The suspicious email details are:

Sender:
*****@*****.tld

Subject:
Leave/Vacation schedules are ready for qualified staff

We request the following:

Full analysis of the email headers and source.
Verification whether the sender address is spoofed.
Identification of the originating IP address and mail route.
Recommendations to permanently block similar phishing emails.
Assistance in configuring Anti-Phishing, SPF, DKIM, and DMARC protections on the gateway.
IOC extraction and security recommendations.

Please let us know if you require the original EML/MSG file or full headers for deeper investigation.

Best Regards,
Khaled depas

with kapseprsky web traffic sequrity gettting Database update     Failure 

how to fix?

Can you help me recover my forgotten password for Administrator web password for kaspersky mail gateway I have only access to the Hypervisor with SSH

Thanks

I need to know if exist a MIB objects for Kaspersky Web Traffic Security that support monitoring interface traffic

For example:

• Bandwidth % used in the intefaces.
• Bandwidth used for the clients.
• # of clients connected in each node.

Thanks in advanced!

i got a new licence and Activation Code for Web Traffic Sec on my Squid proxy.

In the Settings at the web-gui there is a "licence" subject, but it only allows to *delete* the active key. Not to add / update one.

Do i have to delete the key first, before  updating the new one?

Will Kaspersky halt if i delte the existing key and kill all my users connections?

I am afraid, i need some help here. The docs are not usefull on that...

regards

Sachbearbeiter

----> edit /etc/nginx/mime.types and add the following line where it alphabetically belongs, respecting the identation:
[root@kwts ~]# vim /etc/nginx/mime.type
types {
  ~
  application/x-ns-proxy-autoconfig			pac;
  ~
}

----> create a folder which will be hosting our .pac file:
[root@kwts ~]# mkdir /usr/share/nginx/pac

----> create /etc/nginx/conf.d/pacserver.conf (you need to edit the lines below according to your wanted scheme: <port>, <fqdn>):
[root@kwts ~]# vim /etc/nginx/conf.d/pacserver.conf
server {
  listen <port>;
  server_name  <fqdn>;
  charset utf8;
  location / {
    root /usr/share/nginx/pac;
    index proxy.pac;
  }
}
    
----> create your proxy.pac file and edit accordingly:
[root@kwts ~]# vim /usr/share/nginx/pac/proxy.pac 
function FindProxyForURL(url, host) 
{
        
        // Convert host to lower case
        var lhost = host.toLowerCase();
        host = lhost;
        
        // Convert url to lower case
        var lurl = url.toLowerCase();
        url = lurl;
        
        // Defining proxy Services
        var direct = "DIRECT";
        var kwts = "PROXY 10.1.1.250:3128";
        
        // Forced through --> KWTS
        if (shExpMatch(host, "Hostname.FQDN"))
            return kwts;
        
        // If the hostname suffix is within *.xxx --> DIRECT.
        if (shExpMatch(host, "*.local"))
            return direct;
        
        // DEFAULT RULE: Catchall --> KWTS
            return kwts;

}    
    
----> restart nginx services
[root@kwts ~]# systemctl restart nginx.service

----> verify that the assigned PACSERVER:PORT is up and listening:
[root@kwts ~]# ss -tnlp

----> test a proxy.pac retrieval:
[root@kwts ~]# curl http://<your.fqdn.suffix:port>/proxy.pac
function FindProxyForURL(url, host) 
{
        
        // Convert host to lower case
        var lhost = host.toLowerCase();
        host = lhost;
        
        // Convert url to lower case
        var lurl = url.toLowerCase();
        url = lurl;
        
        // Defining proxy Services
        var direct = "DIRECT";
        var kwts = "PROXY 10.1.1.250:3128";
        
        // Forced through --> KWTS
        if (shExpMatch(host, "Hostname.FQDN"))
            return kwts;
        
        // If the hostname suffix is within *.xxx --> DIRECT.
        if (shExpMatch(host, "*.local"))
            return direct;
        
        // DEFAULT RULE: Catchall --> KWTS
            return kwts;

}   
[root@kwts ~]#

You should afterwards be able to configure your OS'es/Browsers using the PAC file: http://kwts.domain.suffix:PORT/proxy.pac

Hope this helps,
Kind regards.
m.

---> Edit the squid.conf.template file + addons = last tree lines of the snipet below:

[root@kwts ~]# vim  /opt/kaspersky/kwts-appliance-addon/share/templates/squid.conf.template
{#-* This is a template for generating a configuration file *-#}
################################################################################
# This file was generated automatically.                                       #
# All changes to this file will be lost.                                       #
################################################################################

cache deny all
cache_mem 0
shared_memory_locking on
shutdown_lifetime 5 seconds
stats_collection deny all
error_log_languages off
via off
forwarded_for off
follow_x_forwarded_for deny all

---> Use the Web Admin interface and change any setting of the built-in proxy server. 
---> This will cause the settings update. For example, you can change the Access log parameters and save the changes.

You can test before and after here:
https://www.whatismybrowser.com/detect/what-http-headers-is-my-browser-sending

Cheers,
m.

I'm currently testing KWTS and honestly I'm very pleased with the appliance, stunning stuff!!
I've been a bit astonished that multi-homing or multiple Ethernet interfaces doesn't seems to be endorsed by default, simple stuff like "trusted/untrusted" interface was my goal.

Nevertheless, I found ways to enable KWTS in the layout I've wanted (perhaps not supported) and let me share that with you:

----> You need a public/private key pair in order to be able to access the KWTS Technical Support Mode (SSH):
----> creating the key pair:
ssh-keygen -o
----> You then need to upload the public key on KWTS Web Admin for being able to connect over SSH:
ssh -i kwts root@10.1.1.250

----> Enabling ip_forward / reboot persistent:
[root@kwts ~]# cat /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
#
net.ipv4.ip_forward = 1

----> Adding interface based routing (if needed etc..)
[root@kwts ~]# cat /etc/sysconfig/network-scripts/route-eth0
10.0.0.0/8 via 10.1.1.1 dev eth0

----> A few iptables rules in order to DROP anything except ICMP messages inbounding on eth1 (my untrusted interface):
[root@kwts ~]# cp /etc/sysconfig/iptables-config /etc/sysconfig/iptables-config.ORG
[root@kwts ~]# iptables -F 
[root@kwts ~]# iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT 
[root@kwts ~]# iptables -A INPUT -i eth1 -p icmp -j ACCEPT 
[root@kwts ~]# iptables -A INPUT -i eth1 -j DROP
[root@kwts ~]# iptables-save > /etc/sysconfig/iptables-config

Finally, I've setup the KWTS on a KVM Host which worked flawlessly using the ISO file.
 

Thanks,
Cheers,
m.