Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by Michel-B

  1. Incident is closed and there's no solution for this bug. It's supposedly fixed in SP2 but that's not expected until the end of the year. So this is not an option for us, we'll have to look for an alternative. Also, it was claimed to work in the next version for servers, which should be released soon. I don't understand how this could be fixed for servers but not for clients. The whole reason this option is available in the KSC is because of the client version, as no other version ever had the Application Control module. Why can't this be fixed for clients?
  2. Ok so this was his reply: And later... I don't get this, really. This should be supported in KES and it's an important part of the functioning of App Control. I would really like to know if this is supposed to be fixed soon. Not in a next version, because we have no clue when that's gonna be and we need to use it right now.
  3. Ok, that's rather annoying. When can we expect SP2? Roughly... I don't need an exact date but is it Q1, 2 or not even this year?
  4. I'm trying to add some safe folders in my Application Startup Control policies. These folders are located in the user profile folder, so I'd like to add that folder to a specific category by using: %userprofile%\some_folder\ This doesn't seem to work. It will only work if I use the full path, including username-folder like: C:\Users\username\some_folder. Obviously, this doesn't work when you're trying to do this for 300+ users. Is there any way to do this? KSC: 10.2.434 KES:
  5. I have submitted the requested info, but seeing as 3 different people with different versions reported this issue in this topic alone, I'm assuming this is very easy to reproduce by the developers.
  6. I'm wondering if you've ever resolved this, because I just came across the exact same issue. Using a default deny setup and since a couple of days all my custom added applications messed up and couldn't be started anymore. Quite fun when 300 people suddenly start calling about application malfunctions. Came across this topic, and realized there was a file added based on a certificate. After removing this, the category seemed to work again. KSC 10.2.434 + patch D KES EDIT: I have a server trace file, if you want it, tell me where I can upload it. Don't wanna post it on a public forum. Don't know if there's anything interesting in it though. It just a trace of me adding a file based on cert to a category. Also created an incident: INC000005852596
  7. I would just use Kaspersky Endpoint Security 10 on your clients and make use of the Application Startup Control, Application Privilege Control and System Watcher. With that, you've covered the biggest risks unless you actually have users working (logged in) on a server OS. For terminal servers we use Kaspersky File Antivirus and Microsoft AppLocker until WSEE 10 gets released. The key is to limit the things users can run, like executable files and Office macro's. Apart from that, make sure you have your folder permissions setup correctly. I've seen it plenty of times where someone only needs access to folder A, but in stead has access to A, B, C, D, etc. When a cryptolockers manages to run, the damage is far greater than it could've been if that user was limited to the folders he/she needs. So no 'Everyone - Full Control' on your folders. Obviously, this should be a standard IT policy in everyone company.
  8. I'm pretty sure we'd have to wait for WSEE (10) to be released for that as it includes Application Startup Control and Anticryptor. http://forum.kaspersky.com/index.php?showtopic=333483 That being said, I pretty sure the vast majority of cryptolockers are being executed from by end-users on their clients. So, in my opinion, the main focus to prevent cryptolockers should be on clients, not servers. I'm just desperately waiting for Application Startup Control for servers so we can get rid of Microsoft's AppLocker and use Kaspersky just like we do on clients.
  9. Thanks Tybilly, that was very informative and makes perfect sense. While those scenarios are definitely possible, it must have been a hell of a coincidence. Update tasks are set to run on both the servers and clients as soon as new updates are available in the repo and KSN is enabled on both policies too. Perhaps we were just very unlucky. We were already in the process of setting up a default deny Application Startup Control policy, which is now finished (but not before this cryptolocker could have a go at it). Perhaps the privilige control/system watcher is a good additional layer.
  10. Ok, clear. I'm glad it does that. But can you then explain me what this protection scope does? If it gets scanned regardless.
  11. Using KES (MR2). Are you saying that, regardless of where the file is (local or network drive), it gets checked anyway? If so, what use is the 'All network drives' checkbox?
  12. I thought I've read somewhere in Kaspersky's recommendations that network drives should not be select in the File Antivirus component. Yesterday, we've had a cryptolocker running around the network, probably executed by a user from a network drive. Kaspersky didn't seem to pick it up. However, we did get a notification at pretty much the same time the malicious file was executed from the Kaspersky agent that was running on the file server that the network drive was mapped to. So, I fear the following (but could be wrong): The user executed the file (located on a file server) from a network drive. It was detected on the file server, but not on the client the user was logged on to, because network drive scanning is disabled. Is this possible?
  13. I ended up removing it with kavremover as well in Safe Mode. I tried this before and it didn't work, but I checked the wrong log (I had 10+ by then) and thought it was the same issue with avpsus. I know, that wouldn't make sense in Safe Mode, but still. So, I've been able to remove it all and it seems to be working. But now for the million dollar question: How/why does this happen? Obviously, it's unacceptable that the network connectivity gets messed up on 2 separate occasions when enabling the encryption module.
  14. These problems might be related or not, I haven't figured that out yet. We were recently testing FLE and installed the AES 256 encryption module on 2 Windows 10 x64 laptops. After installing the module, we sent the task to enable the module on these 2 laptops and after a reboot both no longer had network connectivity. I turned out Kaspersky interfered with the DHCP client functionality somehow, because it wasn't receiving an IP address anymore, only after setting a static IP the network connectivity came back. Because of this, I tried uninstall KES on both of these laptops and they faced similar problems. KES cannot be removed. Using the uninstallation task: It showed the message: 'Fatal error during uninstallation' Uninstall through 'Control Panel > Programs and Features': It hangs a while on 'Stopping services' and halts with the error: Error 1921. Service Kaspersky Seamless Update Service (avpsus) could not be stopped. Verify that you have sufficient privileges to stop system services. This is true, because that service is stuck on the STOPPING state. And I can't stop it using taskkill either. Mind you, I'm running all these as a local administrator and, where possibly, with elevated permissions. KAVRemoved 1.0.930 fails as well, probably stuck on the same service. I just sits there until I end the process. 952:2ae4 13:13:08.284 ------Utility Stdout ^ --- 952:2ae4 13:13:08.284 Utility Stderr is empty 952:2ae4 13:13:08.284 Command was not executed 952:2ae4 13:13:08.284 ->> Unregister 64bit dlls and exe 952:2ae4 13:13:08.284 Processing section executeall64... 952:2ae4 13:13:08.284 ->> Stopping service avpsus 952:2ae4 13:13:08.284 Processing section assassinate_apvsus... 952:2ae4 13:13:08.284 stopping service "avpsus"... 952:2ae4 13:13:08.284 error: can not stop service 'avpsus' 952:2ae4 13:13:08.284 ->> Remove services and drivers 952:2ae4 13:13:08.284 Processing section remove_services... 952:2ae4 13:13:08.284 removing service/driver 'avp'... 952:21c8 15:05:43.754 Shutdown detected What's going on? Why does this happen on 2 laptops that are completely unrelated to each other? We're scared to deploy FLE company wide now. The laptops are pretty much useless to us right now. PS: It's kinda related to the topic below I guess, but that has a dead end. http://forum.kaspersky.com/index.php?showt...p;#entry2532020
  15. Well, technically I can. I can just add that server to the list of Update Agents. I was just wondering what would happen if I did. But that's the problem here. There's a UA on a different site, but these sites are connected with a VPN so the other UA can be reached by clients on the other site. I guess I'll just have to block access from one site to the UA/Administration Server in our firewall so they can't reach it. Is it also fine when they're not in the same group, but in a parent or child group?
  16. I understand that. But I was explained that, when there are multiple Update Agents assigned to a group, a client will choose the one that's closest in the network topology. For that reason, I wanted to add 2 Update Agents to that group, one that is located on Site #1 and the other located on Site #2. However, the one on #Site 1 isn't really an Update Agent, it has to be the Administration Server. Then I was explained that the only way to have a client use the Administration Server as Update Agent is to not have an Update Agent defined. Therefor I wonder what would happen is I added the Administration Server as Update Agent to that group.
  17. Sorry, I've edited the screenshots and name from KMWE to Site #1 + #2 to make it more clear what I meant, but forgot to edit that name. My bad! I would assign an update agent to the group called 'Site #1 + #2' in the first screenshot. Because there are both client from Site #1 and Site #2 in the subgroups.
  18. For example, the subgroups of 'Site #1 + #2' (so Clients, Mobile and Servers) have all sorts of clients in them from both sites, these are not in separate groups. When I assign an update agent to the group 'KMWE' for Site #2, the clients from Site #1 will also use it because they're mixed together in those subgroups. What I have to create in order to use the Update Agent only for #Site 2 and the Administration Server only for Site #1 is the following: Then I can assign an update agent to the group Site #2 and leave the update agents blank for the group Site #1, in which case it will use the Administration Server. But as you can see from the screenshots, this will require double administration of groups.
  19. I've thought about it for a little while, but using separate groups and relocation rules would require me to do a lot of double administration. What would happen if I added the current Administration Server as an Update Agent to a group? Do I get a double repository?
  20. Also, after installing the plugin, you have to create new policies and update tasks because MR2 is considered a new product as far as I know. When you create a new task or policy, during the second step it asks you for which product you want to create this task/policy. You can now choose between KES SP1 and KES SP1 MR2. To not have to configure the entire policy, I exported and imported the settings. This is what I did, but I don't know if this is the official way.
  21. Thanks for your response! How should I go about doing this when my clients can roam between Site #1 and #2? Say, I have a hierarchy with the group 'Clients'. In this group reside clients that can be connected on either Site #1 or Site #2. I can't separate them into different groups because a lot of them are laptop users and they roam between the 2 sites. Should I just block access in our firewalls to the Administration Server from 1 site (excluding the Update Agent)?
  22. Ok, so if I understand correctly, when there's no Update Agent assigned to a group it looks for an agent in the parent group (or any higher level in the hierarchy), and when there's multiple assigned it does this based on network topology (closest in hops). Correct? That would answer 2 of my questions. What about the question that Dmitry followed up on?
  23. Correct. And I'd like to know how a Network Agent finds the nearest Update Agent, because even though I want clients on Site #2 to connect the Update Agent on that site, they could still reach the Administration Server on Site #1.
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.