Jump to content

Kirill Tsapovsky

Admin
  • Content Count

    14,777
  • Joined

  • Last visited

Posts posted by Kirill Tsapovsky


  1. Quote

    Если следовать вашей логике: то источников заражения может быть несколько и они себя не проявляют при проверке средствами KES (например как здесь: есть необработанные объекты) и сразу же после полной проверки зараженного ПК, опять его заражают? Или, все же, не лечится вирус?

    По вопросам, связанным с уничтожением вирусов, обратитесь, пожалуйста, на форум фан-клуба.

    Чтобы диагностировать "неизвестный" хост и понять причину ошибки, необходим собранный на нем отчет GSI (или как минимум вывод утилиты klnagchk, запущенной на хосте с правами админа; утилиту можно найти в папке с установленным Агентом администрирования).

    Спасибо.

     


  2. 3 hours ago, siimao said:

    Иван, добрый день!

     

     

    Пункт 1:  Отключите зараженный хост от корпоративной сети - обязателен?

    Можно как-то без отключения от сети?

    Спасибо!

     

    Добрый день.

    Отключение от сети необходимо, чтобы исключить вероятность повторного заражения (в зависимости от типа угрозы).

    Пожалуйста, обратите внимание, что данный форум посвящен техническим вопросам работы антивирусного ПО. По проблемам, связанными с уничтожением вирусов, обратитесь, пожалуйста, на предназначенный для этого ресурс:

    https://forum.kasperskyclub.ru/index.php?showforum=26

    Спасибо.


  3. 1 hour ago, Harsky said:

    Good day!
    It is difficult to describe what does not exist.
    I have the task to install KES for different software deployment options. The server roles for which KES is intended can be any - Terminal server, File server or Application server. Ways to deploy KES can also be different, but unattended.
    Any deployment variant should not show the Initial Configuration Wizard window. It does not matter in what way this will be achieved - a disable on running avp.exe or importing a registry settings that will allow you not to run the Initial Configuration Wizard.
    /silent must be *SILENT*

    Hello.

    Due to legal reasons, the end used must accept the KSN statement in order for KES to run on the host. The installation itself is silent, but the agreement will be shown to the user on first start of KES whether it is initial or somehow delayed.

    Thank you.


  4. On 3/14/2019 at 1:46 PM, katbert said:

    Проверил сейчас - проблема перестала воспроизводиться. Понадобилось до 9 дней. Сейчас выборка новых компьютеров возвращает 0.

    В день появления проблемы я менял срок удаления неактивных устройств в Опрос сети\Домены, и почти на всех доменах в списке - включал наследование этого срока от родительской группы. Похоже, что-то из этих действий заставило сервер KSC считать все компьютеры новыми, а теперь срок новизны вышел.

    Добрый день.

    Согласно информации от разработчика, выборка включает все устройства, обнаруженные в сети в течение суток до ее запуска.

    Пожалуйста, сообщите, если ранее указанную проблему удастся воспроизвести.

    Спасибо.


  5. On 12/21/2018 at 4:03 AM, achilcott said:

    We're currently using Kaspersky Endpoint Security for Windows 11.0.0.6499. This is via the LogMeIn Central Product.

    We have the client installed on Windows Server 2016, Version 1607 (OS Build 14393.2551) and using Standard Windows Server Backup.

    The logs located in:

    
    %windir%\logs\windowsserverbackup

    Report the following:

    
    Error in deletion of [E:\System Volume Information\klmeta.dat] while pruning the target VHD: Error [0x80070020] The process cannot access the file because it is being used by another process

    Even after placing an exception in Windows Server Backup for "E:\System Volume Information" it is still failing. 

    I've tried disabling Kaspersky and running the backup then, but the same error continues to appear in the log files. I've searched the forums here and there was an issue logged in March:

    https://forum.kaspersky.com/index.php?/topic/390254-kis2018-locking-drives-klmetadat/&tab=comments#comment-2786844

    Which is similar to what I'm experiencing and as the Original Poster mentioned there has to be a better solution than uninstalling the EndPoint each time you need to run a backup job.

    Has anybody else had issue with this or experience with the klmeta.dat file? Perhaps there is a way for this file to be removed or prevented from being created by Kaspersky. 

    Hello.

    This behavior is expected on part of KES, and caused by wbengine.exe activity which tries to remove KL files from System Volume Information folder without releasing locks on such files.

    This can be avoided by recreating the OS backup task, adding KL files (klmeta.dat, iswift.dat, ichecker.dat) to exclusions.

    Thank you.


  6. On 3/14/2019 at 12:31 PM, hafizaswant said:

    Dear KLAB Expertise,

    For some reasons, we are deploying the SVM version 5 manually through our host. However, after completed deployed the SVM version 5, we unable to login using username:root password:123456. This credentials we refer back to version 4. May we have the default credentials so that we can configure the parameters for the SVM.

    Here is the case id

    INC000010265299

    Hello.

    Unfortunately, manual SVM deployment is not supported. Installation can only be done via KSC, after performing the necessary configuration, including login credentials.

    Thank you.


  7. 2 hours ago, Binmubarak said:

    Hello,

    Please note that the logon accounts for all kaspersky services have changed to local system, as seen below.

    I only performed 2 actions on my server as stated below,

    1. I restarted the server
    2. I also tried to open SQL server server 2014 configuration manager, which failed.

    But afterwards,all kaspersky services have changed their logon accounts.

    Kindly advise,

    image.png.d87fd2b5f1c68af38134b8eb1e00cb24.png

     

    Thank you

    Hello

    KSC service are not all intended to work as Local System. Please find the list here: https://support.kaspersky.com/9298

    Please see the Kaspersky Event Log on the server, and provide its export if possible. Alternatively, please collect a GSI report from the server (see the signature to this message), and it will contain the necessary data.

    It is possible that the server has been corrupted and needs to be reinstalled. The described changes in the system are not related to KSC functionality.

    Thank you.


  8. 6 hours ago, GIT Support said:

    Hi Team,

    1)We have checked the  default report "Report on installed applications" we are unable to get the complete software's installed list with Computer wise report.In this we are getting the complete applications information but the computers we are unable to find.

    2)We have created the new report "Report on applications registry history" also we are unable to get the complete software's installed list with Computer wise report. In this we are able to find only the recent installed & Re-installed application list,but we are unable to find the complete applications installed report with the computer wise.

    Kindly suggest us on this.

    Thank you.

     

    Hello.

    Please elaborate on "using KSC 10.4.343 & KSC 10.5.1781". On which of the servers does the issue reproduce?

    The list of computers where a specific application version is used can be viewed in the application registry, in the properties of said application entry. Alternatively, a computer selection can be created, with the condition to include only hosts which have a specific version installed. A software versions report does not represent data in this manner.

    Thank you.


  9. 4 hours ago, Фасхиев Рустем said:

    Под "не полностью" имел в виду то, что некоторые параметры применились,  а некоторые нет. Например защита паролем и сам пароль применились, упрощенный интерфейс тоже применился. А вот список локальных сетей в Сетевом экране не применился.

    Да, в интерфейсе видно, что политика применяется. Настройки для пользователей заблокированы все настройки.

    Список сетей в политике на KSC пока оставлен по-умолчанию 172.16/12, 192.168/16 и 10/8. Но замок открыт, т.к. есть в списке управляемых устройств есть дочерние группы, к которым применяется политика наследуемая из этой основной, и в ней сетевой экран должен быть выключен. Возможно проблема именно здесь?

    Да, как уже упомянул Zandatsu, проблема в открытых замках.

    Открытый замок в политике напротив некоторой настройки отключает наследование этой конкретной настройки далее по иерархии. В случае, если существует дочерняя политика, соответствующая настройка будет открыта в ней для редактирования. Если ниже по иерархии только конечные хосты, настройка будет открыта для редактирования там.

    Соответственно, изменить иерархию и обеспечить ожидаемую работу наследования можно, переместив машины из корня основной группы в еще одну дочернюю, создав в ней отдельную политику, настроив в ней сети в настройках Сетевого экрана и закрыв замок напротив них. Таким образом, основная политика будет оставлять настройки Сетевого экрана открытыми для переопределения, а дочерние - переопределять и форсировать применение этих настроек на хостах, каждая соответственно потребностям своей группы.

    Спасибо.


  10. 1 hour ago, minty1978 said:

    Hi Dmitry,

    Yes, this is in the Policy section, as per screen shot below:

    Policy.jpg

    Hello.

    You can find the list of plugins in this article: https://support.kaspersky.com/9333

    However, plugins for unsupported versions (like KES 10.2.1.23, which MR1 possibly stands for) are not published there, or available for download any longer.

    There should not be any issues simply removing the redundant policy though.

    Thank you.

     


  11. 1 hour ago, kavmander said:

    Hi,

    Thanks for your answer !

    Locks are opened, is that the cause ? Do I need to close the locks to apply the strategy ?

    Thank you!

    Hello.

    The lock on the setting needs to be closed to enforce the corresponding setting down the inheritance chain, in this case down to the endpoint configuration.

    Open locks are not enforced, and therefore their corresponding settings will not be applied on endpoints.

    Thank you.


  12. 1 hour ago, garu said:

    Hi,

    we have KSC 10.5.1781 & domain controller in Linux & Ldap is configured on that server. So if I want to create group structure of the entire active directory which on the Linux server. All users logged in the systems as a domain user with SAMBA. So will KSC able to pull out entire active directory hierarchical structure along with OU. Manage devices -> All task -> create group structure.  If yes then kindly provide me any article for reference.

    Thank You

    Hello.

    There is no specific support for LDAP on Linux in KSC, or instructions to configure it.

    If the domain can be polled using Network discovery, there should be no issue performing the mentioned task. Otherwise please ensure that KSC has access to Active Directory services.

    Thank you.


  13. 1 hour ago, Фасхиев Рустем said:

    Добрый день.

    На некоторые компьютеры в организации политика с KSC загружается не полностью - в Сетевом экране не появляется список локальных сетей, в результате компьютер доступен только из той сети, где он находится, из других нет. В чем может быть дело?

    KSC - 10.5.1781

    KES - 11.0.1.90

    Операционные системы - разные, есть и Windows 7, и Windows 10,

    Добрый день.

    Пожалуйста, опишите подробнее, в чём проявляется применение политики "не полностью".

    В интерфейсе KES видно, что политика применяется? Остальные настройки, кроме Сетевого экрана, применены из политики и недоступны для изменения?

    Каков ожидаемый вид списка сетей в Сетевом экране? Необходимые сети были добавлены и настроены в политике? Убедитесь, что замок напротив этой настройки закрыт.

    Спасибо.


  14. 10 minutes ago, dale_bentley said:

    Would you like the open HP support case number and you can follow it up with them -  I have provided all information they have told us.

    You can find the standard support KL scope terms here: https://support.kaspersky.com/support/rules#en_us.block2

    Unfortunately, said information cannot be used to forward the investigation since it is contradictory. This issue needs investigating by HP, as explained earlier.

    From KL perspective, there is already a workaround, which is to remove HP Velocity.

    Thank you.

    UPD: I can see there is already an RnD-initiated discussion with HP over this error, following the previous cases. However, the current solution stands, for reasons mentioned. Changes are to be expected in future versions of either product.


  15. 14 hours ago, steken said:

    Исходя из информации полученной в google, данная проблема существует давно. На сайте social.technet.microsoft.com есть тема по данной проблеме датируемая сентябрь 2012 г. и последнее сообщение июнь 2015. Вы хотите сказать, что столько времени существования данной проблемы, компания ещё не разработала патч? Или не хочет? Было выпущенного много ревизий KES 10 и новая версия KES 11. Во всех версиях есть это проблема.

    Так как мы пользуемся лицензионным продуктом, имея лицензию, мы имеем право на техническую поддержку и решение проблемы, как корпоративные пользователи. Может вы уточните сроки решения данной проблемы? Так как полноценно пользоваться продуктом невозможно!

    Добрый день.

    Решение проблемы осложнялось тем обстоятельством, что ошибка была вызвана не нашим продуктом, а спецификой работы определенных версий wbengine.exe:

    Quote

    wbengine.exe перечисляет все файлы на томе, потом пытается удалить файлы из SystemVolumeInformation, но эти файлы используются драйвером и просто удалить их нельзя, они будут закрыты только при блокировании или размонтировании тома (FSCTL_LOCK_VOLUME / FSCTL_DISMOUNT_VOLUME), но wbengine.exe таких вызовов перед удалением файлов не делает.

    В данной ситуации мы ничего не можем сделать, разрешать просто так удалять файлы метаменеджера нельзя.

    Решение в данном случае было возможно путём явного добавления в KES функционала поддержки резервного копирования Windows, какой существует в KSWS. Это и было сделано в KES 11.

    Спасибо.


  16. 2 minutes ago, dale_bentley said:

    If you read my original post you will see we already have an open case with HP Support. They have all the dumps and  image diagnostics. No mention of HP Velocity being the potential culprit so I gather they are unaware of this potentially causing any fault when in tandem with Kaspersky version 11.

     

    I will let them know however not sure what they will do with that information.

    In the original post, it says

    Quote

    HP have ruled out any hardware fault with desktops and cannot find any obvious faults with drivers,

    However, this cannot be accurate: "BSOD with fwpkclnt.sys" is itself an obvious fault with drivers. For this reason, I have mentioned that a more technical explanation from them could help us, however a sole mention that HP disown the error, will not.

    Thank you.


  17. 2 minutes ago, dale_bentley said:

    We have request ID INC000010263687 open and support engineer isn't trying to push us back to HP support - the Kaspersky engineer has provided us steps to help troubleshoot rather than trying to move us on.

    Not sure what "pushing back to HP support" in this context means: the error stated in the opening post of this topic is known, and the culprit is the HP driver. The suggestion to address HP for a solution is a logical extension of said fact. Engineers in CompanyAccount will collect the required minimum of information depending on the issue symptoms before presenting any conclusions.

    However, if there already is (for example) a technical explanation from HP hinting how KES might affect its driver's operation and consequently what can be done on KL part to resolve the issue, it can make sense to proceed with collecting the reproduction data. In this case, please proceed as previously mentioned.

    Thank you.


  18. 13 minutes ago, BeatYa said:

    HP Velocity is not installed on the mentioned machine.
    Right now I reproduce the BSOD and create memory dumps and GSI stuff...

    In this case, this must be an entirely different error. fwpkclnt.sys is explicitly the HP driver. Please verify that the memory dump us not referring to it; otherwise, the driver must have been removed improperly.

    When the new data is available, please attach it into the existing incident; alternatively, please close the incident to continue the case within this topic.

    Thank you.


  19. 2 hours ago, dale_bentley said:

    As explained we immediately had to downgrade to KES10SP2 after last BSOD owith KES11 n those workstations. hence why GSI shows that version. We also have no full memory dump only minidumps when we had version 11 installed.

    So far today no further BSOD for all 3 workstations however will report back after a few days to confirm it remains this way. If no more BSOD then the culprit is definitely KES version 11 on this HP workstations.

    Hello.

    Unfortunately, since the issue only occurs in KES 11, a system information from a host which has a different version and the issue does not reproduce, cannot be used for analysis.

    However, there is a known issue with HP Velocity (which will likely be listed as the faulty driver in the memory dump). From KL perspective, the solution is to remove the faulty software.

    Please address HP support is you require more information about the specifics of the fault.

    Thank you.


  20. 26 minutes ago, Zandatsu said:

    Для KES 10 SP2 доступ для накопителей у нас был устроен ровно точно таким же образом и никаких подобных уведомлений не было никогда. Началось с KES 11.

    Регистрация событий в KES зависит от поведения системы.

    Для того, чтобы решить проблему в KES 11, пожалуйста, используйте описанный выше способ.

    Спасибо.


  21. 43 minutes ago, myousufhk said:

    Dear Support, 

    I am not asking you to investigate AD but your own network agent service which is conflicting with the AD policy. I have already investigated and find out the root cause of the issue but you guys need to fix it because the Network agent service belongs to your domain and also the AD policy is applied there for more than two years and not faced a single issue with the applied settings in previous versions of Network Agent.

     

    The 2 policy defined are:

    1- Clean temp folder at startup. 

    2- Disable admin approval. 

     

    Please help me for the resolution of the issue. 

    To investigate from the perspective of Network Agent, please provide relevant data (Kaspersky Event Log, included in the GSI report from an affected host, reproduction scenario from the perspective of Network Agent).

    The AD suggestion can be helpful if you let us know which one setting in Windows policies is responsible for the issue, and in which exact manner the issue can be reproduced by using the one said setting. The provided description of the policies, unfortunately, does not unambiguously explain which settings in OS each of them modifies, or why two are provided without mention of whether they were observed to have the effect on the Network Agent service independently, only in tandem, or otherwise.

    Thank you.


  22. 42 minutes ago, garu said:

    hi,

    We want to search desire computer in devices section using any character. Example- in KSC – under devices- device name is as

    1036-kundan

    2058-Kumar

    6698-Kunal

     

     Now if we want to search ku* in search box, will it show the result.

    please help to resolve this issue.

    Thank You

     

    Hello.

    Unfortunately, I could not establish from the description what the mentioned issue is, but I assume the following:

    Entering ku* in the search box will return all host names that start with symbols ku and contain any number of consequent symbols. None of the host names you specified match this search mask.

    If you need to find computer names which contain the symbols ku but does not necessarily start with them, you should use *ku*.

    If your host names are uniform (i.e. each of them starts with 4 digits, followed by a dash, followed by a human-readable name you need to search by), you can use this example:

    ????-ku*

    This will return host names which start with exactly 4 symbols, followed by -ku and then by any number (including zero) of consequent symbols.

    Thank you.

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.