Jump to content

Michel-B

Members
  • Content Count

    162
  • Joined

  • Last visited

Posts posted by Michel-B


  1. KES: 11.0.1.90
    KSC: 10.5.1781

    Client OS: Windows 10 x64 1809
    Server OS: Windows Server 2016

    I'm using Application Startup Control in White List mode. This works fine, except for one thing that I cannot figure out:

    We have developers who create their own applications (executables mostly). Whenever they create a new version of the application, we had to add them to a category for whitelist. That's why I chose for the option to add applications to a category based on metadata

    CFxMLlo.png

    I was told that this only works for applications who have been signed with a valid certificate. So we purchased one and instructed our developers to use it to sign their application.

    COlYaXQ.png

    I've added the certificate to the Trusted Publishers computer stores on every client that wants to run the application.

    Even when I do all this, the application still gets blocked. I've created a test environment with a clean KSC and client and cannot get it to work. What am I doing wrong here?

    XAIFemn.png


  2. That's annoying, because it did in fact always work like I intended it. Until the update.

    Now I've tried using the "Category with content added automatically"  but that fails for my.

    1. Create a new category with content automatically added
    2. Set the path to the folder and scan the folder
    3. I can see all executables added with their SHA256 hash in the conditions
    4. I add the category to the folder
    5. Executables are still not whitelisted and KES is showing the category as 'Category is not defined'.

    I've added the category, policy and a screenshot

    kes_vs_policy.png

    Test Policy.klp

    Auto_add_category.klc


  3. A file send to us by e-mail was blocked by Kaspersky Security 9.0 for Exchange (9.4.189.0).

    Anti-Virus database issued: 21-8-2018 11:36 (latest)
    Anti-Spam database issued: 21-8-2018 11:51 (latest)

    The file is blocked because of an Excel file with macro's attached. Check the attached screenshot for details. The exact same file scanned with KES 11 with the latest database is considered clean. Also, when I use your online scanning tool (Virusdesk) it comes back as clean.
    Why does Kaspersky for Exchange still consider it malicious, even though they both use the latest databases?

    For security reasons, I'd rather not share the file unless absolutely necessary.

     

    infected_email.png


  4. Since upgrading to KES 11.0.0.6499 and KSC 10.5.1781, some Application Folder's with variables in them are no longer working, it used to work before upgrading. Can you confirm if anything has changed?

    We're using Application Startup Control in whitelist mode and have added a category to whitelist certain folders.

    This works when I use the example path: C:\Users\user01\AppData\Local\*

    However, when I use the following, it no longer works: %userprofile%\AppData\Local\* 

    Has anything been changed related to using variables in folder paths?

     


  5. Create an installation package using the switches: /qn /norestart

    Also, look into device selections so you can easily see which device doesn't have the patch applied yet.

    For example, for Core1:

     (Device name="*"
    and Application name="Kaspersky Security 10.1 for Windows Server"
    and Critical update name="Kaspersky Security 10.1 for Windows Server Cumulative critical fix product core 1 (KB14306)" (not installed))

     


  6. Don't mean to interfere with this topic, but I've had something similar happen a while ago where I had a broken software category. It wasn't visible in the policy or something like that, or listed as Unknown (don't know the specifics). Compare the categories in the policy to the ones you have listed under 'Application Management > Application Categories'. Even though the policy that was 'broken' wasn't the one that would've affected the software involved, it still broke the whole application control. It was for an older version, but perhaps worth checking out.


  7. First KES is installed. After that, I try to install the VPN client with KES running. It will not install, even if I shut down KES. I can only install the VPN client when I completely uninstall KES. After installing the VPN client, I can install KES again and both will function normally.

    The logs were created on a clean installation of Windows 7.

    So:

    1. Install Windows 7 Pro x64
    2. Update Windows completely
    3. Install KES and update, reboot
    4. Install Pulse Secure client

    Download new trace + GSI logs here: 

    https://nmddrive.twc.nl/my-pub/FileLink/7fc0f6f1-a316-1336-b476-b3828e9b8be5/false


  8. When KES 10.3.0.6294 is installed on a Windows 7 x64 PC, the Pulse Secure VPN client cannot be installed. The setup does a rollback halfway during the installation and the MSI fails with error 1603. When KES is shut down, it still doesn't work. Only when completely removing KES I can install the client and it works fine afterwards (with KES installed).

    On Windows 10, there don't seem to be any issues.

    You can download the latest version of Pulse Secure here: https://nmddrive.twc.nl/my-pub/FileLink/e5b6cd87-10db-30cf-c552-8dfba55a2ae2/false


  9. As with every kind of security, don't rely on a single product or feature. Solid security is built from many layers.

    Solely focussing on Kaspersky it would be something like this:

     

    1. Virus comes in through a webpage of e-mail --> Mail and Web Anti-Virus

    2. If not detected by previous --> Application Startup Control can make sure you cannot run scripts of executables if you're working with a whitelist

    3. If not blocked by previous --> File Anti-Virus with a signature or heuristic could detect it

    4. If not detected by previous, the cryptolocker is able to run --> Application Startup Control can minimize the impact the process can do on your endpoint

    5. When the cryptolocker is running --> Anti-Cryptor with Untrusted Host Blocking can make sure the encryption of files on your file servers is stopped before you can do serious damage

     

    Of course it starts by minimizing the risks of malware entering your company. For example:

     

    - A decent spam/virusfilter for your e-mail solution

    - IPS/IDS on your gateway

    - Blocking unknown USB disks with Device Control or something similar

     

    If all of these mechanisms fail, you're screwed, but the chances are fairly small if implemented well. If you, however, rely just on a File Anti-Virus scanner and that component fails to catch it, you're already screwed. ;)


  10. Are their any known issues with Bitlocker FDE and the Windows 10 Creators Update (Redstone 2)?

     

    We're trying to setup Bitlocker full disk encryption on a HP Probook 650 G2 with Windows 10 1703. Clean install.

    When we reinstall the same notebook with Windows 10 Update 1607 it works without any problems. In that case, we use the exact same installation package, policy and installation procedure.

     

    The following message appears in the Kaspersky event log: Failed to prepare the system volume for encryption.

     

    KES 10.3.0.6294 (strong encryption)

    KSC 10.4.343

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.