Jump to content

ak01

Members
  • Content Count

    309
  • Joined

  • Last visited

About ak01

  • Rank
    Cadet

Recent Profile Visitors

998 profile views
  1. I installed new KES11.1 (11.1.0.15919) on two laptops and activated new ARP/MAC Spoof detection (not prevent, second option) feature. On my laptop, whenever I switch between Wifi and wired connection, I get the message below. A colleague of mine uses a docking station where the laptop is connected with wifi and wired connection (docking station) and he permanently get the same message. I disabled the feature for the moment. How does this feature exactly work? How do you recognize a network attack? I assumed that you search for unrequested ARP Replies on the network or you remember the correct MAC of (at least) the gateway IP and if that changes, that might be an attack. Ereignistyp: Ein Netzwerkangriff wurde erkannt. Programm\Name: Kaspersky Endpoint Security für Windows Benutzer: ELISABETHINEN\kloib01 (Aktiver Benutzer) Komponente: Schutz vor Netzwerkbedrohungen Ergebnis\Beschreibung: Erlaubt Objekt: von mehreren unterschiedlichen Quellen Objekt\Typ: Netzwerkpaket Objekt\Name: von mehreren unterschiedlichen Quellen Objekt\Erweitert: Verdächtig: Datenbanken vom: 21.03.2019 03:11:00 Das Ereignis Ein Netzwerkangriff wurde erkannt. trat ein auf dem Computer XXX in der Domäne XXX Dienstag, 26. März 2019 11:41:07 (GMT+01:00) Ereignistyp: Ein Netzwerkangriff wurde erkannt. Programm\Name: Kaspersky Endpoint Security für Windows Benutzer: XXX\XXX (Aktiver Benutzer) Komponente: Schutz vor Netzwerkbedrohungen Ergebnis\Beschreibung: Erlaubt Objekt: von mehreren unterschiedlichen Quellen Objekt\Typ: Netzwerkpaket Objekt\Name: von mehreren unterschiedlichen Quellen Objekt\Erweitert: Verdächtig: Datenbanken vom: 05.02.2019 21:32:00
  2. On my example server with KSWS10.1 the RegKey HKLM\SYSTEM\CurrentControlSet\Control\Session Manager : PendingFileRenameOperations has the following content (what is RebootZombieFile.tmp?): \??\C:\Config.Msi\fab0fce.rbf \??\C:\Config.Msi\fab0fcf.rbf \??\C:\Config.Msi\fab0fd7.rbf \??\C:\Config.Msi\fab1047.rbf \??\C:\Config.Msi\fab1048.rbf \??\C:\Config.Msi\fab1049.rbf \??\C:\Config.Msi\fab104a.rbf \??\C:\Config.Msi\fab104b.rbf \??\C:\Windows\TEMP\KAVREM~1\0B24F9~1\EXEC\RebootZombieFile.tmp \??\C:\Windows\TEMP\KAVREM~1\0B24F9~1\J8BnFwLwQ04e46Twrdouu1.tmp \??\C:\Windows\TEMP\KAV Remote Installations\d2343570-20de-46bb-80d0-617f29ecdc424c03b507-2ae6-4e80-9906-c0283904816e\y78YZU8Z_SqXQZzELZx9c1.tmp \??\C:\Windows\TEMP\KAVREM~1\23A478~1\EXEC\RebootZombieFile.tmp \??\C:\Windows\TEMP\KAVREM~1\23A478~1\EXEC\RebootZombieFile.tmp \??\C:\Windows\TEMP\KAVREM~1\23A478~1\NMof4+ApyGKlJ6VV6GFdZ0.tmp \??\C:\Config.Msi\200a76ad.rbf
  3. I would like to distinguish between "forbidden" and "allowed" for messages like “Host Intrusion Prevention was triggered”. I would like to get a mail when it is forbidden, not when it is allowed. Generally, it would be nice that every message, which indicates that something is blocked/forbidden, would be sent to KSC so that the admin sees right away on KSC (Events on a special computer), that KES blocked something (but not all the "allowed" messages). Ereignistyp: Eine Regel der Programm-Überwachung wurde ausgelöst. Programm\Name: 5.6.6; 20180731-1455 [ea03fd0ff2] Programm\Pfad: c:\xxx\xxx\ Programm\Prozess-ID: 10120 Benutzer: xxx\xxx (Aktiver Benutzer) Komponente: Programm-Überwachung Ergebnis\Beschreibung: Erlaubt Ergebnis\Typ: Zugriff auf Sicherheitseinstellungen Ergebnis\Name: Zugriff auf die Webcam Ergebnis\Bedrohungsstufe: Niedrig Ergebnis\Genauigkeit: Genau Aktion: Zugriff auf die Webcam Objekt\Typ: Webcam Grund: Zugriff auf die Webcam
  4. is this a bluecoat product? If that is the case, the administrator is able to define what happened when the AV scanner returns that icap error message.
  5. you are talking about the initial password dialog when a stick is connected the first time. What if the user forgets that password? Is it possible to reset that passwort without full decryption/encryption?
  6. hi thank you for that information. Have you already found that issue before or have you noticed that because of my thread?
  7. Hi thank you for that information.
  8. Hi in windows task scheduler, we found a task named "Kaspersky Security for Windows Server OS Upgrade Detect" which gets executed on every user login. Is this really needed (on every user login -> could be a lot on terminal servers)? What does it do? Can we disable it or at least change it to "at startup"? "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Windows Server 10.1\patch.exe" /OsUpgradeDetect
  9. Hallo thank you for that information. and what's with KES11? It should be ignorable as well (from my opinion).
  10. I wrote that I do not have a computer right now having that state, but I had a server in that state so I thought that this would be caused by the same reason. Since KSC/KES/KSWS/Agent states the “the operation system needs a reboot”, there must be an interface to the operating system in order to get that information. Which interface to the operating system do you use to get this information? I noticed that situation on workstations (KES 11.0.1.90) as well as servers (KSWS10.1). I am using Windows 10 and Server 2012R2/2016.
  11. I do not understand your suggestion. When I terminate KES completely, no policy should be in use. Is this correct? By the way, we found out that when we install the component “file encryption”, OneDrive does not work anymore. When we uninstall that component, it works again. That’s why I think that there is an incompatibility between file encryption and OneDrive. Is it true that the file encryption uses a special driver to do it’s job, maybe that is in conflict with what OneDrive does (since it transparently provides cloud synchronization within the explorer/filesystem, it must also use a driver within the operating system). This would also explain why it also not works when KES is terminated (since the encryption driver is still active within the system). Is it possible for you to just test that in your lab (Win10 with OneDrive Client with Microsoft account and KES 11.0.1.90)? I think that it would be easy to reproduce in the lab.
  12. I mean what if the user forgets his password which he provided at the first usb stick encryption attempt (for private mode). I have not found any option to change that within the policy, could you please send a screenshot?
  13. I do not have a computer with that state right now, but I had a 2012r2 server and the msi log says: perty(S): MsiSystemRebootPending = 1 After that I found this: https://stackoverflow.com/questions/10875227/how-do-i-reference-the-reboot-pending-property-in-burn-wix http://www.northern.net/en/Training--Support/Knowledge-Base/Reference/Installation-aborted-due-to-pending-system-reboot/ On the mentioned server I have an entry called "PendingFileRenameOperations". Do you think that this is causing KSWS10.1 (in that case) to complain that the operation system needs a reboot?
  14. what about when a user forgets his password? Is the full decrypt and encrypt policy the only way to reset the password?
×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.